neorouter
TRANSCRIPT
Version 111
User Manual
Last Updated June 23 2010
Web-site httpwwwneoroutercom
Technical Support httpwwwneoroutercomsupport
Copyright 2010 NeoRouter Inc
All rights reserved
User Manual
NeoRouter Inc 2010 Page 2 of 53
Table of Contents Table of Contents 2 1 Scope of service 4
11 About NeoRouter 4 12 Key Features 4 13 Glossary and Concepts 5 14 How it works 6 15 System Requirements 7 16 Acknowledgements 7
2 Installation 8 21 Check list 8 22 Server Setup 8
221 Server Network Requirements 8 222 Install NeoRouter server on Windows 8 223 Install NeoRouter server on Mac 10 224 Install NeoRouter server on Linux 10 225 Install NeoRouter Server on OpenWRT Kamikaze 11 226 Install NeoRouter Server on Tomato 11 227 Install NeoRouter Server on Fonera 20 N 11 228 Create first administrator account 12 229 Setup NeoRouter domain 12 2210 Port forwarding 12
23 Client Setup 12 231 Install NeoRouter Client on Windows 12 232 Install NeoRouter Client on Mac 13 233 Install NeoRouter Client on Linux 13 234 Install NeoRouter Client on OpenWRT Kamikaze 14 235 Install NeoRouter Client on Fonera 20N 14
3 Network Explorer 15 31 Launch and Sign In 15 32 Computer List 16 33 Add-on 17
331 Add-on launch pad 18 332 Manage Add-ons (Windows) 19 333 Manage Add-ons (Mac) 22
34 Connection Options 24 341 P2P Connection 24 342 Proxy Setting 24 343 Server Local Address 25
35 Multi-Language 26 351 Install a language resource file 26 352 Language resource file format 26 353 Multi-Language support for Add-ons 27
36 Skin 27 37 Network Explorer CLI 27
371 Launch CLI 28 372 Computer List in CLI 28
38 Network Explorer Portable 28 381 Network Explorer Portable 29 382 Auto Run Configuration for USB 29
39 Change Password 30 4 Configuration Explorer 31
41 Launch and Sign In 31
User Manual
NeoRouter Inc 2010 Page 3 of 53
42 Managing Users 32 43 Managing Computers 33 44 Access Control List 34
441 Overview 34 442 Define Computer ACL 35 443 Define ACL entry 36 444 How Firewall Works 36 445 Example hub-and-spoke 37 446 Example one-way access 37
45 Managing Server and Domain 38 46 Branding 38 47 Server Configuration CLI 40
5 Advanced Configuration 40 51 Change Server Port 40 52 Change DHCP 41 53 Network Bridge 41
531 Overview 41 532 Routing vs Bridging 42 533 Setup Network Bridge 42 534 Bridging Setup ndash point to site VPN 43 535 Routing Setup ndash site to site VPN 45 536 Bridging Setup ndash site to site VPN 47 537 Run Scripts 47
54 Build Custom Add-on (Windows) 48 541 Create Custom Add-on 48 542 Add-on File Formats 50
6 Licensing NeoRouter 51 61 Licensing Overview 51 62 Activation 51 63 Product Key Recovery 51
7 Troubleshooting and Support 52 71 Troubleshooting 52
711 Troubleshooting steps 52 712 Generate Log 53
72 Contact Us 53
User Manual
NeoRouter Inc 2010 Page 4 of 53
1 Scope of service
11 About NeoRouter
NeoRouter is a cross-platform zero-configuration VPN solution that securely connects Windows Mac and Linux
computers at any locations into a virtual LAN and provides a networking platform for various applications like
remote desktop shared folders and printers offsite backup voice amp video chat games etc It is the ideal Remote
Access and VPN solution for small businesses and homes
Many small businesses or homes have high-speed internet and multiple computers and users are facing challenges
like remote access directory management and network security To solve similar problems at large enterprises
skilled administrators can deploy very expensive and complex tools like VPN domain controller and corporate
firewall But small business or home users do not have the right tools that fit their needs
Our mission is to provide low-cost zero-configuration networking solutions for small businesses and homes This is
why we have built NeoRouter
12 Key Features
Feature Description
Cross platform Support Windows (from Windows 2000 to Win7) Mac OSX (from Tiger to Snow
Leopard) Linux (all major distros) and router firmwares (tomato fon and openwrt)
Roaming Profile You can sign in from any computer using the same account and your profile (including
the computer list and your preference) will roam with you
P2P NeoRouter can setup direct peer-to-peer (P2P) connection between computers When
direct P2P connection is impossible (eg your computer is behind a corporate
firewall) NeoRouter relays the network traffic through your own router while other
VPN products relay through a central server geologically located far away and shared
by thousands of other users
High portability You can run NeoRouter portable client from a USB drive without installation This
feature is especially useful if you are using a computer that you do not have the
privileges to setup new software eg in a library or hotel
Unattended servers NeoRouter runs as a system service (daemon) and will automatically reconnect after
reboot
Add-ons Add-ons extend NeoRouter and let you perform additional tasks over the virtual
network
Proxy Proxy support allows you access your virtual network behind proxy servers that
support HTTP Proxy SOCKS4 and SOCKS5 protocols
Remote Wakeup You can put your computer to standby mode to conserve electricity and NeoRouter can
wake up the computer when you actually use it
Reliability NeoRouter does not rely on a central server for connectivity so you do not need to
worry about the unexpected server maintenance and downtime
Network Bridge You can either bridge the NeoRouter virtual network with physical networks or create
multiple site-to-site VPN
Access control You can grant or deny users accesses to a computer or a serviceport individually For
example you can prevent your client Bob from accessing your internal file server even
though they are on the same virtual LAN
Customization You can personalize the user interface with your native language and favorite skin
Branding Business users can integrate the companys logo and customize the banner
User Manual
NeoRouter Inc 2010 Page 5 of 53
13 Glossary and Concepts
NeoRouter Virtual Network (VLAN) NeoRouter software connects a group of hosts from any locations into a
virtual LAN-like network that has similar attributes as a physical LAN Hosts can communicate as if they were
attached to the same broadcast domain even if they are not located on the same network switch
NeoRouter Client A host on the VLAN is called NeoRouter Client It has a virtual network adapter and is assigned
a virtual IP address
NeoRouter Server NeoRouter Server assists clients in discovering and communicating to each other It also
manages usersrsquo profiles and privileges software licenses and branding NeoRouter Clients must connect to server in
order to join the VLAN
NeoRouter Domain One NeoRouter Server and multiple NeoRouter Clients that connect to this server are
collectively called NeoRouter Domain Each domain has a globally unique name as its identification Domain names
are managed by NeoRouter Inc
NeoRouter User A NeoRouter User is a person who uses NeoRouter software and accesses hosts on a virtual
network Please note that many other VPN solutions like OpenVPN or Hamachi do not distinguish a user from a
client host NeoRouter introduces the user concept so that a user will have the experience regardless on which
computer he connects to the VLAN and admin can manage each userrsquos access privilege
NeoRouter Administrator A NeoRouter Admin is a user who can also manage the VLAN
NeoRouter Network Explorer The main application installed on a client that allows users to log into the VLAN
view the connection status of other clients and launch add-on programs to connect to remote clients It may have
graphic or command-line user interface (executable is nrclientcmd)
NeoRouter Network Explorer PortableUSB (aka Viewer) A version of the NeoRouter Network Explorer that
requires no installation It is ideal for users who need to connect from a kiosk but do not have the privilege to install
software It allows users to log in and launch add-on programs just like the regular Network Explorer But the local
computer will not join the VLAN and other clients will not be able to connect to it It also ensures no personal
information is left behind after use
NeoRouter Configuration Explorer (aka Console) An application installed on a client or a server that allows
administrators to manage a VLAN Configuration Explorer for Windows has a graphic user interface and can be
used to configure local or remote server Configuration Explorer for Mac and Linux are built into serverrsquos
command-line interface (executable is nrserver) and can configure local server only
NeoRouter Client Service A daemon program installed on a client that establishes connections to server and peer
clients It always runs in the background and ensures the connections even when the Network Explorer is not
running Most users do not need to interactive with this program directly
Access Control List (ACL) An ACL of a host specifies which users are granted or denied access to the host and
which ports are allowed Each host also has a default ACL which is used if a userrsquos privilege is not explicitly
defined in the hostrsquos ACL or if user does not sign in Network Explorer on the remote host
NeoRouter Dashboard A web-based application that allows users to manage domain information and view
domain status (httpswwwneoroutercomDashboard)
NeoRouter Dynamic Domain Name System (DDNS) To simplify user log on NeoRouter maintains domain
name public IP address and port of every NeoRouter server in a central DDNS server When user launches Network
Explorer and signs into a domain Network Explorer contacts the DDNS server translates the domain name into the
actual IP address and port and connects to the NeoRouter server
User Manual
NeoRouter Inc 2010 Page 6 of 53
14 How it works
In the NeoRouter domain shown in the above diagram three clients at different locations can establish direct P2P
connections with the help from server and can communicate to each other as if they were in the same physical LAN
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
NeoRouter client can connect from anywhere as long as it has Internet connection User can simply launch
NeoRouter Network Explorer signs in with user credential and domain name and heshe will be able to view the list
of hosts in the VLAN and launch add-on programs to access them Network Explorer uses a DDNS-like protocol to
discover and connects to the NeoRouter server (blue lines) When user executes add-on programs NeoRouter client
will establish a direct P2P connection to the requested peer client (green lines) and a secure tunnel that transfers the
network data from all the add-on programs
NeoRouter server remembers the signature of a client after its first successful connection and NeoRouter Client
Service daemon can then connect to the VLAN without requiring user to log into NeoRouter Network Explorer
This allows an untended server to always stay connected
NeoRouter clients use the STUN and STUNT methods to establish the direct P2P connections and achieve highest
connection speed These methods are widely used in P2P programs and have very high success rate If a client is
behind a symmetric NAT which is often found in large corporations these methods may fail and the connection to
this client will fall back to relay mode If the traffic between two clients is relayed through server the serverrsquos
physical location network speed and CPU load may affect the connection speed
NeoRouter uses SSLv3 (AES-256) protocol to secure the communication channel between client and server and uses
a suite of protocols (RSA 2048bit DH and AES-256) to protect P2P connections among clients This solution meets
the industryrsquos highest security standards
User can setup NeoRouter server and client on the same host NeoRouter server by itself cannot add a host into
VLAN or communicate with peer clients using their virtual IP addresses User often sets up NeoRouter client
software on the same host as server so that this host can become part of the VLAN
User Manual
NeoRouter Inc 2010 Page 7 of 53
15 System Requirements
NeoRouter client and server can be installed on
Windows (Win 7VistaXP200820032000)
Mac OSX (x86 LeopardSnow Leopard PPC Tiger)
Linux i386 and x64 (RedhatFedoraCentOS UbuntuDebian SuSE)
Linux-based router firmware (Tomato OpenWRT Kamikaze Fonera2n)
16 Acknowledgements
NeoRouter is made possible because of the following open-source projects
OpenSSL the Open Source toolkit for SSLTLS httpwwwopensslorg
OpenWrt a Linux based firmware program for embedded devices such as residential gateways and routers
httpwwwopenwrtorg
Tomato Firmware a small lean and simple replacement firmware for Broadcom-based routers
httpwwwpolarcloudcomtomato
Fon A router that allow its user to securely share their Wi-Fi network with other Fon members httpwwwfoncom
Tun-Tap OSX the virtual network interface for Mac OS X httptuntaposxsourceforgenet
Nullsoft Scriptable Install System (NSIS) a professional open source system to create Windows installers
httpnsissourceforgenet
NRClientX a GUI frontend for NeoRouter Network Explorer on Mac Linux and Windows
httpsourceforgenetprojectsnrclientx
User Manual
NeoRouter Inc 2010 Page 8 of 53
2 Installation
21 Check list
Here are the steps to setup a NeoRouter Virtual LAN Please refer to next few sections for detailed instructions on
your target operating systems
Server Setup
a Choose a host that meets the network requirements as NeoRouter server
b Install NeoRouter server software
c Create the first administrator if necessary
d Setup NeoRouter domain
e Configure router or firewall for port-forwarding or UPnP if necessary
Note NeoRouter Server for Windows has an install wizard that guides user through steps b c amp d
Client Setup
a Install NeoRouter client software
b Sign In Network Explorer and join this host to VLAN
c Install add-ons if necessary
License activation See Chapter 6 Licensing NeoRouter
22 Server Setup
221 Server Network Requirements
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
222 Install NeoRouter server on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
You may be prompted with a dialog box asking whether to remove user data files generated by NeoRouter
These files include database configuration and cached information If you are simply upgrading please
click ldquoNordquo to keep the files
c Launch the installation wizard choose NeoRouter Server and click the Next button
User Manual
NeoRouter Inc 2010 Page 9 of 53
d Setup a domain name that can uniquely identify your virtual LAN You will need to enter the domain name
in the log on to box during sign in
e Setup the administrator account for your domain You will need to enter the username and password during
sign in
User Manual
NeoRouter Inc 2010 Page 10 of 53
f Click the Finish button to complete installation
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter server daemon can be controlled in Services Console (servicesmsc)
223 Install NeoRouter server on Mac
a Download NeoRouter server for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrserversh
c Double-click nrserver-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click NeoRouterServermpkg to launch installer
e NeoRouter is installed under LibraryNeoRouter folder and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
224 Install NeoRouter server on Linux
a Download NeoRouter Server for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrserver
SuSE sudo rpm -e nrserver
Ubuntu and Debian sudo dpkg -r nrserver
c Install
Ubuntu amp Debian sudo dpkg -i nrserver-ltversiongt-ltreleasegti386deb
SuSE sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Redhat and Fedora sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Configure OpenSSL NeoRouter is compiled using openssl 098g If you have an older version of
Fedora please upgrade the openssl package You may also need to add the following symbol links
cd lib
ln -s libcryptoso098g libcryptoso098
ln -s libsslso098g libsslso098
d Configure firewall for NeoRouter server listening port
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 2 of 53
Table of Contents Table of Contents 2 1 Scope of service 4
11 About NeoRouter 4 12 Key Features 4 13 Glossary and Concepts 5 14 How it works 6 15 System Requirements 7 16 Acknowledgements 7
2 Installation 8 21 Check list 8 22 Server Setup 8
221 Server Network Requirements 8 222 Install NeoRouter server on Windows 8 223 Install NeoRouter server on Mac 10 224 Install NeoRouter server on Linux 10 225 Install NeoRouter Server on OpenWRT Kamikaze 11 226 Install NeoRouter Server on Tomato 11 227 Install NeoRouter Server on Fonera 20 N 11 228 Create first administrator account 12 229 Setup NeoRouter domain 12 2210 Port forwarding 12
23 Client Setup 12 231 Install NeoRouter Client on Windows 12 232 Install NeoRouter Client on Mac 13 233 Install NeoRouter Client on Linux 13 234 Install NeoRouter Client on OpenWRT Kamikaze 14 235 Install NeoRouter Client on Fonera 20N 14
3 Network Explorer 15 31 Launch and Sign In 15 32 Computer List 16 33 Add-on 17
331 Add-on launch pad 18 332 Manage Add-ons (Windows) 19 333 Manage Add-ons (Mac) 22
34 Connection Options 24 341 P2P Connection 24 342 Proxy Setting 24 343 Server Local Address 25
35 Multi-Language 26 351 Install a language resource file 26 352 Language resource file format 26 353 Multi-Language support for Add-ons 27
36 Skin 27 37 Network Explorer CLI 27
371 Launch CLI 28 372 Computer List in CLI 28
38 Network Explorer Portable 28 381 Network Explorer Portable 29 382 Auto Run Configuration for USB 29
39 Change Password 30 4 Configuration Explorer 31
41 Launch and Sign In 31
User Manual
NeoRouter Inc 2010 Page 3 of 53
42 Managing Users 32 43 Managing Computers 33 44 Access Control List 34
441 Overview 34 442 Define Computer ACL 35 443 Define ACL entry 36 444 How Firewall Works 36 445 Example hub-and-spoke 37 446 Example one-way access 37
45 Managing Server and Domain 38 46 Branding 38 47 Server Configuration CLI 40
5 Advanced Configuration 40 51 Change Server Port 40 52 Change DHCP 41 53 Network Bridge 41
531 Overview 41 532 Routing vs Bridging 42 533 Setup Network Bridge 42 534 Bridging Setup ndash point to site VPN 43 535 Routing Setup ndash site to site VPN 45 536 Bridging Setup ndash site to site VPN 47 537 Run Scripts 47
54 Build Custom Add-on (Windows) 48 541 Create Custom Add-on 48 542 Add-on File Formats 50
6 Licensing NeoRouter 51 61 Licensing Overview 51 62 Activation 51 63 Product Key Recovery 51
7 Troubleshooting and Support 52 71 Troubleshooting 52
711 Troubleshooting steps 52 712 Generate Log 53
72 Contact Us 53
User Manual
NeoRouter Inc 2010 Page 4 of 53
1 Scope of service
11 About NeoRouter
NeoRouter is a cross-platform zero-configuration VPN solution that securely connects Windows Mac and Linux
computers at any locations into a virtual LAN and provides a networking platform for various applications like
remote desktop shared folders and printers offsite backup voice amp video chat games etc It is the ideal Remote
Access and VPN solution for small businesses and homes
Many small businesses or homes have high-speed internet and multiple computers and users are facing challenges
like remote access directory management and network security To solve similar problems at large enterprises
skilled administrators can deploy very expensive and complex tools like VPN domain controller and corporate
firewall But small business or home users do not have the right tools that fit their needs
Our mission is to provide low-cost zero-configuration networking solutions for small businesses and homes This is
why we have built NeoRouter
12 Key Features
Feature Description
Cross platform Support Windows (from Windows 2000 to Win7) Mac OSX (from Tiger to Snow
Leopard) Linux (all major distros) and router firmwares (tomato fon and openwrt)
Roaming Profile You can sign in from any computer using the same account and your profile (including
the computer list and your preference) will roam with you
P2P NeoRouter can setup direct peer-to-peer (P2P) connection between computers When
direct P2P connection is impossible (eg your computer is behind a corporate
firewall) NeoRouter relays the network traffic through your own router while other
VPN products relay through a central server geologically located far away and shared
by thousands of other users
High portability You can run NeoRouter portable client from a USB drive without installation This
feature is especially useful if you are using a computer that you do not have the
privileges to setup new software eg in a library or hotel
Unattended servers NeoRouter runs as a system service (daemon) and will automatically reconnect after
reboot
Add-ons Add-ons extend NeoRouter and let you perform additional tasks over the virtual
network
Proxy Proxy support allows you access your virtual network behind proxy servers that
support HTTP Proxy SOCKS4 and SOCKS5 protocols
Remote Wakeup You can put your computer to standby mode to conserve electricity and NeoRouter can
wake up the computer when you actually use it
Reliability NeoRouter does not rely on a central server for connectivity so you do not need to
worry about the unexpected server maintenance and downtime
Network Bridge You can either bridge the NeoRouter virtual network with physical networks or create
multiple site-to-site VPN
Access control You can grant or deny users accesses to a computer or a serviceport individually For
example you can prevent your client Bob from accessing your internal file server even
though they are on the same virtual LAN
Customization You can personalize the user interface with your native language and favorite skin
Branding Business users can integrate the companys logo and customize the banner
User Manual
NeoRouter Inc 2010 Page 5 of 53
13 Glossary and Concepts
NeoRouter Virtual Network (VLAN) NeoRouter software connects a group of hosts from any locations into a
virtual LAN-like network that has similar attributes as a physical LAN Hosts can communicate as if they were
attached to the same broadcast domain even if they are not located on the same network switch
NeoRouter Client A host on the VLAN is called NeoRouter Client It has a virtual network adapter and is assigned
a virtual IP address
NeoRouter Server NeoRouter Server assists clients in discovering and communicating to each other It also
manages usersrsquo profiles and privileges software licenses and branding NeoRouter Clients must connect to server in
order to join the VLAN
NeoRouter Domain One NeoRouter Server and multiple NeoRouter Clients that connect to this server are
collectively called NeoRouter Domain Each domain has a globally unique name as its identification Domain names
are managed by NeoRouter Inc
NeoRouter User A NeoRouter User is a person who uses NeoRouter software and accesses hosts on a virtual
network Please note that many other VPN solutions like OpenVPN or Hamachi do not distinguish a user from a
client host NeoRouter introduces the user concept so that a user will have the experience regardless on which
computer he connects to the VLAN and admin can manage each userrsquos access privilege
NeoRouter Administrator A NeoRouter Admin is a user who can also manage the VLAN
NeoRouter Network Explorer The main application installed on a client that allows users to log into the VLAN
view the connection status of other clients and launch add-on programs to connect to remote clients It may have
graphic or command-line user interface (executable is nrclientcmd)
NeoRouter Network Explorer PortableUSB (aka Viewer) A version of the NeoRouter Network Explorer that
requires no installation It is ideal for users who need to connect from a kiosk but do not have the privilege to install
software It allows users to log in and launch add-on programs just like the regular Network Explorer But the local
computer will not join the VLAN and other clients will not be able to connect to it It also ensures no personal
information is left behind after use
NeoRouter Configuration Explorer (aka Console) An application installed on a client or a server that allows
administrators to manage a VLAN Configuration Explorer for Windows has a graphic user interface and can be
used to configure local or remote server Configuration Explorer for Mac and Linux are built into serverrsquos
command-line interface (executable is nrserver) and can configure local server only
NeoRouter Client Service A daemon program installed on a client that establishes connections to server and peer
clients It always runs in the background and ensures the connections even when the Network Explorer is not
running Most users do not need to interactive with this program directly
Access Control List (ACL) An ACL of a host specifies which users are granted or denied access to the host and
which ports are allowed Each host also has a default ACL which is used if a userrsquos privilege is not explicitly
defined in the hostrsquos ACL or if user does not sign in Network Explorer on the remote host
NeoRouter Dashboard A web-based application that allows users to manage domain information and view
domain status (httpswwwneoroutercomDashboard)
NeoRouter Dynamic Domain Name System (DDNS) To simplify user log on NeoRouter maintains domain
name public IP address and port of every NeoRouter server in a central DDNS server When user launches Network
Explorer and signs into a domain Network Explorer contacts the DDNS server translates the domain name into the
actual IP address and port and connects to the NeoRouter server
User Manual
NeoRouter Inc 2010 Page 6 of 53
14 How it works
In the NeoRouter domain shown in the above diagram three clients at different locations can establish direct P2P
connections with the help from server and can communicate to each other as if they were in the same physical LAN
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
NeoRouter client can connect from anywhere as long as it has Internet connection User can simply launch
NeoRouter Network Explorer signs in with user credential and domain name and heshe will be able to view the list
of hosts in the VLAN and launch add-on programs to access them Network Explorer uses a DDNS-like protocol to
discover and connects to the NeoRouter server (blue lines) When user executes add-on programs NeoRouter client
will establish a direct P2P connection to the requested peer client (green lines) and a secure tunnel that transfers the
network data from all the add-on programs
NeoRouter server remembers the signature of a client after its first successful connection and NeoRouter Client
Service daemon can then connect to the VLAN without requiring user to log into NeoRouter Network Explorer
This allows an untended server to always stay connected
NeoRouter clients use the STUN and STUNT methods to establish the direct P2P connections and achieve highest
connection speed These methods are widely used in P2P programs and have very high success rate If a client is
behind a symmetric NAT which is often found in large corporations these methods may fail and the connection to
this client will fall back to relay mode If the traffic between two clients is relayed through server the serverrsquos
physical location network speed and CPU load may affect the connection speed
NeoRouter uses SSLv3 (AES-256) protocol to secure the communication channel between client and server and uses
a suite of protocols (RSA 2048bit DH and AES-256) to protect P2P connections among clients This solution meets
the industryrsquos highest security standards
User can setup NeoRouter server and client on the same host NeoRouter server by itself cannot add a host into
VLAN or communicate with peer clients using their virtual IP addresses User often sets up NeoRouter client
software on the same host as server so that this host can become part of the VLAN
User Manual
NeoRouter Inc 2010 Page 7 of 53
15 System Requirements
NeoRouter client and server can be installed on
Windows (Win 7VistaXP200820032000)
Mac OSX (x86 LeopardSnow Leopard PPC Tiger)
Linux i386 and x64 (RedhatFedoraCentOS UbuntuDebian SuSE)
Linux-based router firmware (Tomato OpenWRT Kamikaze Fonera2n)
16 Acknowledgements
NeoRouter is made possible because of the following open-source projects
OpenSSL the Open Source toolkit for SSLTLS httpwwwopensslorg
OpenWrt a Linux based firmware program for embedded devices such as residential gateways and routers
httpwwwopenwrtorg
Tomato Firmware a small lean and simple replacement firmware for Broadcom-based routers
httpwwwpolarcloudcomtomato
Fon A router that allow its user to securely share their Wi-Fi network with other Fon members httpwwwfoncom
Tun-Tap OSX the virtual network interface for Mac OS X httptuntaposxsourceforgenet
Nullsoft Scriptable Install System (NSIS) a professional open source system to create Windows installers
httpnsissourceforgenet
NRClientX a GUI frontend for NeoRouter Network Explorer on Mac Linux and Windows
httpsourceforgenetprojectsnrclientx
User Manual
NeoRouter Inc 2010 Page 8 of 53
2 Installation
21 Check list
Here are the steps to setup a NeoRouter Virtual LAN Please refer to next few sections for detailed instructions on
your target operating systems
Server Setup
a Choose a host that meets the network requirements as NeoRouter server
b Install NeoRouter server software
c Create the first administrator if necessary
d Setup NeoRouter domain
e Configure router or firewall for port-forwarding or UPnP if necessary
Note NeoRouter Server for Windows has an install wizard that guides user through steps b c amp d
Client Setup
a Install NeoRouter client software
b Sign In Network Explorer and join this host to VLAN
c Install add-ons if necessary
License activation See Chapter 6 Licensing NeoRouter
22 Server Setup
221 Server Network Requirements
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
222 Install NeoRouter server on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
You may be prompted with a dialog box asking whether to remove user data files generated by NeoRouter
These files include database configuration and cached information If you are simply upgrading please
click ldquoNordquo to keep the files
c Launch the installation wizard choose NeoRouter Server and click the Next button
User Manual
NeoRouter Inc 2010 Page 9 of 53
d Setup a domain name that can uniquely identify your virtual LAN You will need to enter the domain name
in the log on to box during sign in
e Setup the administrator account for your domain You will need to enter the username and password during
sign in
User Manual
NeoRouter Inc 2010 Page 10 of 53
f Click the Finish button to complete installation
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter server daemon can be controlled in Services Console (servicesmsc)
223 Install NeoRouter server on Mac
a Download NeoRouter server for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrserversh
c Double-click nrserver-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click NeoRouterServermpkg to launch installer
e NeoRouter is installed under LibraryNeoRouter folder and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
224 Install NeoRouter server on Linux
a Download NeoRouter Server for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrserver
SuSE sudo rpm -e nrserver
Ubuntu and Debian sudo dpkg -r nrserver
c Install
Ubuntu amp Debian sudo dpkg -i nrserver-ltversiongt-ltreleasegti386deb
SuSE sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Redhat and Fedora sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Configure OpenSSL NeoRouter is compiled using openssl 098g If you have an older version of
Fedora please upgrade the openssl package You may also need to add the following symbol links
cd lib
ln -s libcryptoso098g libcryptoso098
ln -s libsslso098g libsslso098
d Configure firewall for NeoRouter server listening port
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 3 of 53
42 Managing Users 32 43 Managing Computers 33 44 Access Control List 34
441 Overview 34 442 Define Computer ACL 35 443 Define ACL entry 36 444 How Firewall Works 36 445 Example hub-and-spoke 37 446 Example one-way access 37
45 Managing Server and Domain 38 46 Branding 38 47 Server Configuration CLI 40
5 Advanced Configuration 40 51 Change Server Port 40 52 Change DHCP 41 53 Network Bridge 41
531 Overview 41 532 Routing vs Bridging 42 533 Setup Network Bridge 42 534 Bridging Setup ndash point to site VPN 43 535 Routing Setup ndash site to site VPN 45 536 Bridging Setup ndash site to site VPN 47 537 Run Scripts 47
54 Build Custom Add-on (Windows) 48 541 Create Custom Add-on 48 542 Add-on File Formats 50
6 Licensing NeoRouter 51 61 Licensing Overview 51 62 Activation 51 63 Product Key Recovery 51
7 Troubleshooting and Support 52 71 Troubleshooting 52
711 Troubleshooting steps 52 712 Generate Log 53
72 Contact Us 53
User Manual
NeoRouter Inc 2010 Page 4 of 53
1 Scope of service
11 About NeoRouter
NeoRouter is a cross-platform zero-configuration VPN solution that securely connects Windows Mac and Linux
computers at any locations into a virtual LAN and provides a networking platform for various applications like
remote desktop shared folders and printers offsite backup voice amp video chat games etc It is the ideal Remote
Access and VPN solution for small businesses and homes
Many small businesses or homes have high-speed internet and multiple computers and users are facing challenges
like remote access directory management and network security To solve similar problems at large enterprises
skilled administrators can deploy very expensive and complex tools like VPN domain controller and corporate
firewall But small business or home users do not have the right tools that fit their needs
Our mission is to provide low-cost zero-configuration networking solutions for small businesses and homes This is
why we have built NeoRouter
12 Key Features
Feature Description
Cross platform Support Windows (from Windows 2000 to Win7) Mac OSX (from Tiger to Snow
Leopard) Linux (all major distros) and router firmwares (tomato fon and openwrt)
Roaming Profile You can sign in from any computer using the same account and your profile (including
the computer list and your preference) will roam with you
P2P NeoRouter can setup direct peer-to-peer (P2P) connection between computers When
direct P2P connection is impossible (eg your computer is behind a corporate
firewall) NeoRouter relays the network traffic through your own router while other
VPN products relay through a central server geologically located far away and shared
by thousands of other users
High portability You can run NeoRouter portable client from a USB drive without installation This
feature is especially useful if you are using a computer that you do not have the
privileges to setup new software eg in a library or hotel
Unattended servers NeoRouter runs as a system service (daemon) and will automatically reconnect after
reboot
Add-ons Add-ons extend NeoRouter and let you perform additional tasks over the virtual
network
Proxy Proxy support allows you access your virtual network behind proxy servers that
support HTTP Proxy SOCKS4 and SOCKS5 protocols
Remote Wakeup You can put your computer to standby mode to conserve electricity and NeoRouter can
wake up the computer when you actually use it
Reliability NeoRouter does not rely on a central server for connectivity so you do not need to
worry about the unexpected server maintenance and downtime
Network Bridge You can either bridge the NeoRouter virtual network with physical networks or create
multiple site-to-site VPN
Access control You can grant or deny users accesses to a computer or a serviceport individually For
example you can prevent your client Bob from accessing your internal file server even
though they are on the same virtual LAN
Customization You can personalize the user interface with your native language and favorite skin
Branding Business users can integrate the companys logo and customize the banner
User Manual
NeoRouter Inc 2010 Page 5 of 53
13 Glossary and Concepts
NeoRouter Virtual Network (VLAN) NeoRouter software connects a group of hosts from any locations into a
virtual LAN-like network that has similar attributes as a physical LAN Hosts can communicate as if they were
attached to the same broadcast domain even if they are not located on the same network switch
NeoRouter Client A host on the VLAN is called NeoRouter Client It has a virtual network adapter and is assigned
a virtual IP address
NeoRouter Server NeoRouter Server assists clients in discovering and communicating to each other It also
manages usersrsquo profiles and privileges software licenses and branding NeoRouter Clients must connect to server in
order to join the VLAN
NeoRouter Domain One NeoRouter Server and multiple NeoRouter Clients that connect to this server are
collectively called NeoRouter Domain Each domain has a globally unique name as its identification Domain names
are managed by NeoRouter Inc
NeoRouter User A NeoRouter User is a person who uses NeoRouter software and accesses hosts on a virtual
network Please note that many other VPN solutions like OpenVPN or Hamachi do not distinguish a user from a
client host NeoRouter introduces the user concept so that a user will have the experience regardless on which
computer he connects to the VLAN and admin can manage each userrsquos access privilege
NeoRouter Administrator A NeoRouter Admin is a user who can also manage the VLAN
NeoRouter Network Explorer The main application installed on a client that allows users to log into the VLAN
view the connection status of other clients and launch add-on programs to connect to remote clients It may have
graphic or command-line user interface (executable is nrclientcmd)
NeoRouter Network Explorer PortableUSB (aka Viewer) A version of the NeoRouter Network Explorer that
requires no installation It is ideal for users who need to connect from a kiosk but do not have the privilege to install
software It allows users to log in and launch add-on programs just like the regular Network Explorer But the local
computer will not join the VLAN and other clients will not be able to connect to it It also ensures no personal
information is left behind after use
NeoRouter Configuration Explorer (aka Console) An application installed on a client or a server that allows
administrators to manage a VLAN Configuration Explorer for Windows has a graphic user interface and can be
used to configure local or remote server Configuration Explorer for Mac and Linux are built into serverrsquos
command-line interface (executable is nrserver) and can configure local server only
NeoRouter Client Service A daemon program installed on a client that establishes connections to server and peer
clients It always runs in the background and ensures the connections even when the Network Explorer is not
running Most users do not need to interactive with this program directly
Access Control List (ACL) An ACL of a host specifies which users are granted or denied access to the host and
which ports are allowed Each host also has a default ACL which is used if a userrsquos privilege is not explicitly
defined in the hostrsquos ACL or if user does not sign in Network Explorer on the remote host
NeoRouter Dashboard A web-based application that allows users to manage domain information and view
domain status (httpswwwneoroutercomDashboard)
NeoRouter Dynamic Domain Name System (DDNS) To simplify user log on NeoRouter maintains domain
name public IP address and port of every NeoRouter server in a central DDNS server When user launches Network
Explorer and signs into a domain Network Explorer contacts the DDNS server translates the domain name into the
actual IP address and port and connects to the NeoRouter server
User Manual
NeoRouter Inc 2010 Page 6 of 53
14 How it works
In the NeoRouter domain shown in the above diagram three clients at different locations can establish direct P2P
connections with the help from server and can communicate to each other as if they were in the same physical LAN
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
NeoRouter client can connect from anywhere as long as it has Internet connection User can simply launch
NeoRouter Network Explorer signs in with user credential and domain name and heshe will be able to view the list
of hosts in the VLAN and launch add-on programs to access them Network Explorer uses a DDNS-like protocol to
discover and connects to the NeoRouter server (blue lines) When user executes add-on programs NeoRouter client
will establish a direct P2P connection to the requested peer client (green lines) and a secure tunnel that transfers the
network data from all the add-on programs
NeoRouter server remembers the signature of a client after its first successful connection and NeoRouter Client
Service daemon can then connect to the VLAN without requiring user to log into NeoRouter Network Explorer
This allows an untended server to always stay connected
NeoRouter clients use the STUN and STUNT methods to establish the direct P2P connections and achieve highest
connection speed These methods are widely used in P2P programs and have very high success rate If a client is
behind a symmetric NAT which is often found in large corporations these methods may fail and the connection to
this client will fall back to relay mode If the traffic between two clients is relayed through server the serverrsquos
physical location network speed and CPU load may affect the connection speed
NeoRouter uses SSLv3 (AES-256) protocol to secure the communication channel between client and server and uses
a suite of protocols (RSA 2048bit DH and AES-256) to protect P2P connections among clients This solution meets
the industryrsquos highest security standards
User can setup NeoRouter server and client on the same host NeoRouter server by itself cannot add a host into
VLAN or communicate with peer clients using their virtual IP addresses User often sets up NeoRouter client
software on the same host as server so that this host can become part of the VLAN
User Manual
NeoRouter Inc 2010 Page 7 of 53
15 System Requirements
NeoRouter client and server can be installed on
Windows (Win 7VistaXP200820032000)
Mac OSX (x86 LeopardSnow Leopard PPC Tiger)
Linux i386 and x64 (RedhatFedoraCentOS UbuntuDebian SuSE)
Linux-based router firmware (Tomato OpenWRT Kamikaze Fonera2n)
16 Acknowledgements
NeoRouter is made possible because of the following open-source projects
OpenSSL the Open Source toolkit for SSLTLS httpwwwopensslorg
OpenWrt a Linux based firmware program for embedded devices such as residential gateways and routers
httpwwwopenwrtorg
Tomato Firmware a small lean and simple replacement firmware for Broadcom-based routers
httpwwwpolarcloudcomtomato
Fon A router that allow its user to securely share their Wi-Fi network with other Fon members httpwwwfoncom
Tun-Tap OSX the virtual network interface for Mac OS X httptuntaposxsourceforgenet
Nullsoft Scriptable Install System (NSIS) a professional open source system to create Windows installers
httpnsissourceforgenet
NRClientX a GUI frontend for NeoRouter Network Explorer on Mac Linux and Windows
httpsourceforgenetprojectsnrclientx
User Manual
NeoRouter Inc 2010 Page 8 of 53
2 Installation
21 Check list
Here are the steps to setup a NeoRouter Virtual LAN Please refer to next few sections for detailed instructions on
your target operating systems
Server Setup
a Choose a host that meets the network requirements as NeoRouter server
b Install NeoRouter server software
c Create the first administrator if necessary
d Setup NeoRouter domain
e Configure router or firewall for port-forwarding or UPnP if necessary
Note NeoRouter Server for Windows has an install wizard that guides user through steps b c amp d
Client Setup
a Install NeoRouter client software
b Sign In Network Explorer and join this host to VLAN
c Install add-ons if necessary
License activation See Chapter 6 Licensing NeoRouter
22 Server Setup
221 Server Network Requirements
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
222 Install NeoRouter server on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
You may be prompted with a dialog box asking whether to remove user data files generated by NeoRouter
These files include database configuration and cached information If you are simply upgrading please
click ldquoNordquo to keep the files
c Launch the installation wizard choose NeoRouter Server and click the Next button
User Manual
NeoRouter Inc 2010 Page 9 of 53
d Setup a domain name that can uniquely identify your virtual LAN You will need to enter the domain name
in the log on to box during sign in
e Setup the administrator account for your domain You will need to enter the username and password during
sign in
User Manual
NeoRouter Inc 2010 Page 10 of 53
f Click the Finish button to complete installation
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter server daemon can be controlled in Services Console (servicesmsc)
223 Install NeoRouter server on Mac
a Download NeoRouter server for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrserversh
c Double-click nrserver-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click NeoRouterServermpkg to launch installer
e NeoRouter is installed under LibraryNeoRouter folder and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
224 Install NeoRouter server on Linux
a Download NeoRouter Server for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrserver
SuSE sudo rpm -e nrserver
Ubuntu and Debian sudo dpkg -r nrserver
c Install
Ubuntu amp Debian sudo dpkg -i nrserver-ltversiongt-ltreleasegti386deb
SuSE sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Redhat and Fedora sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Configure OpenSSL NeoRouter is compiled using openssl 098g If you have an older version of
Fedora please upgrade the openssl package You may also need to add the following symbol links
cd lib
ln -s libcryptoso098g libcryptoso098
ln -s libsslso098g libsslso098
d Configure firewall for NeoRouter server listening port
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 4 of 53
1 Scope of service
11 About NeoRouter
NeoRouter is a cross-platform zero-configuration VPN solution that securely connects Windows Mac and Linux
computers at any locations into a virtual LAN and provides a networking platform for various applications like
remote desktop shared folders and printers offsite backup voice amp video chat games etc It is the ideal Remote
Access and VPN solution for small businesses and homes
Many small businesses or homes have high-speed internet and multiple computers and users are facing challenges
like remote access directory management and network security To solve similar problems at large enterprises
skilled administrators can deploy very expensive and complex tools like VPN domain controller and corporate
firewall But small business or home users do not have the right tools that fit their needs
Our mission is to provide low-cost zero-configuration networking solutions for small businesses and homes This is
why we have built NeoRouter
12 Key Features
Feature Description
Cross platform Support Windows (from Windows 2000 to Win7) Mac OSX (from Tiger to Snow
Leopard) Linux (all major distros) and router firmwares (tomato fon and openwrt)
Roaming Profile You can sign in from any computer using the same account and your profile (including
the computer list and your preference) will roam with you
P2P NeoRouter can setup direct peer-to-peer (P2P) connection between computers When
direct P2P connection is impossible (eg your computer is behind a corporate
firewall) NeoRouter relays the network traffic through your own router while other
VPN products relay through a central server geologically located far away and shared
by thousands of other users
High portability You can run NeoRouter portable client from a USB drive without installation This
feature is especially useful if you are using a computer that you do not have the
privileges to setup new software eg in a library or hotel
Unattended servers NeoRouter runs as a system service (daemon) and will automatically reconnect after
reboot
Add-ons Add-ons extend NeoRouter and let you perform additional tasks over the virtual
network
Proxy Proxy support allows you access your virtual network behind proxy servers that
support HTTP Proxy SOCKS4 and SOCKS5 protocols
Remote Wakeup You can put your computer to standby mode to conserve electricity and NeoRouter can
wake up the computer when you actually use it
Reliability NeoRouter does not rely on a central server for connectivity so you do not need to
worry about the unexpected server maintenance and downtime
Network Bridge You can either bridge the NeoRouter virtual network with physical networks or create
multiple site-to-site VPN
Access control You can grant or deny users accesses to a computer or a serviceport individually For
example you can prevent your client Bob from accessing your internal file server even
though they are on the same virtual LAN
Customization You can personalize the user interface with your native language and favorite skin
Branding Business users can integrate the companys logo and customize the banner
User Manual
NeoRouter Inc 2010 Page 5 of 53
13 Glossary and Concepts
NeoRouter Virtual Network (VLAN) NeoRouter software connects a group of hosts from any locations into a
virtual LAN-like network that has similar attributes as a physical LAN Hosts can communicate as if they were
attached to the same broadcast domain even if they are not located on the same network switch
NeoRouter Client A host on the VLAN is called NeoRouter Client It has a virtual network adapter and is assigned
a virtual IP address
NeoRouter Server NeoRouter Server assists clients in discovering and communicating to each other It also
manages usersrsquo profiles and privileges software licenses and branding NeoRouter Clients must connect to server in
order to join the VLAN
NeoRouter Domain One NeoRouter Server and multiple NeoRouter Clients that connect to this server are
collectively called NeoRouter Domain Each domain has a globally unique name as its identification Domain names
are managed by NeoRouter Inc
NeoRouter User A NeoRouter User is a person who uses NeoRouter software and accesses hosts on a virtual
network Please note that many other VPN solutions like OpenVPN or Hamachi do not distinguish a user from a
client host NeoRouter introduces the user concept so that a user will have the experience regardless on which
computer he connects to the VLAN and admin can manage each userrsquos access privilege
NeoRouter Administrator A NeoRouter Admin is a user who can also manage the VLAN
NeoRouter Network Explorer The main application installed on a client that allows users to log into the VLAN
view the connection status of other clients and launch add-on programs to connect to remote clients It may have
graphic or command-line user interface (executable is nrclientcmd)
NeoRouter Network Explorer PortableUSB (aka Viewer) A version of the NeoRouter Network Explorer that
requires no installation It is ideal for users who need to connect from a kiosk but do not have the privilege to install
software It allows users to log in and launch add-on programs just like the regular Network Explorer But the local
computer will not join the VLAN and other clients will not be able to connect to it It also ensures no personal
information is left behind after use
NeoRouter Configuration Explorer (aka Console) An application installed on a client or a server that allows
administrators to manage a VLAN Configuration Explorer for Windows has a graphic user interface and can be
used to configure local or remote server Configuration Explorer for Mac and Linux are built into serverrsquos
command-line interface (executable is nrserver) and can configure local server only
NeoRouter Client Service A daemon program installed on a client that establishes connections to server and peer
clients It always runs in the background and ensures the connections even when the Network Explorer is not
running Most users do not need to interactive with this program directly
Access Control List (ACL) An ACL of a host specifies which users are granted or denied access to the host and
which ports are allowed Each host also has a default ACL which is used if a userrsquos privilege is not explicitly
defined in the hostrsquos ACL or if user does not sign in Network Explorer on the remote host
NeoRouter Dashboard A web-based application that allows users to manage domain information and view
domain status (httpswwwneoroutercomDashboard)
NeoRouter Dynamic Domain Name System (DDNS) To simplify user log on NeoRouter maintains domain
name public IP address and port of every NeoRouter server in a central DDNS server When user launches Network
Explorer and signs into a domain Network Explorer contacts the DDNS server translates the domain name into the
actual IP address and port and connects to the NeoRouter server
User Manual
NeoRouter Inc 2010 Page 6 of 53
14 How it works
In the NeoRouter domain shown in the above diagram three clients at different locations can establish direct P2P
connections with the help from server and can communicate to each other as if they were in the same physical LAN
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
NeoRouter client can connect from anywhere as long as it has Internet connection User can simply launch
NeoRouter Network Explorer signs in with user credential and domain name and heshe will be able to view the list
of hosts in the VLAN and launch add-on programs to access them Network Explorer uses a DDNS-like protocol to
discover and connects to the NeoRouter server (blue lines) When user executes add-on programs NeoRouter client
will establish a direct P2P connection to the requested peer client (green lines) and a secure tunnel that transfers the
network data from all the add-on programs
NeoRouter server remembers the signature of a client after its first successful connection and NeoRouter Client
Service daemon can then connect to the VLAN without requiring user to log into NeoRouter Network Explorer
This allows an untended server to always stay connected
NeoRouter clients use the STUN and STUNT methods to establish the direct P2P connections and achieve highest
connection speed These methods are widely used in P2P programs and have very high success rate If a client is
behind a symmetric NAT which is often found in large corporations these methods may fail and the connection to
this client will fall back to relay mode If the traffic between two clients is relayed through server the serverrsquos
physical location network speed and CPU load may affect the connection speed
NeoRouter uses SSLv3 (AES-256) protocol to secure the communication channel between client and server and uses
a suite of protocols (RSA 2048bit DH and AES-256) to protect P2P connections among clients This solution meets
the industryrsquos highest security standards
User can setup NeoRouter server and client on the same host NeoRouter server by itself cannot add a host into
VLAN or communicate with peer clients using their virtual IP addresses User often sets up NeoRouter client
software on the same host as server so that this host can become part of the VLAN
User Manual
NeoRouter Inc 2010 Page 7 of 53
15 System Requirements
NeoRouter client and server can be installed on
Windows (Win 7VistaXP200820032000)
Mac OSX (x86 LeopardSnow Leopard PPC Tiger)
Linux i386 and x64 (RedhatFedoraCentOS UbuntuDebian SuSE)
Linux-based router firmware (Tomato OpenWRT Kamikaze Fonera2n)
16 Acknowledgements
NeoRouter is made possible because of the following open-source projects
OpenSSL the Open Source toolkit for SSLTLS httpwwwopensslorg
OpenWrt a Linux based firmware program for embedded devices such as residential gateways and routers
httpwwwopenwrtorg
Tomato Firmware a small lean and simple replacement firmware for Broadcom-based routers
httpwwwpolarcloudcomtomato
Fon A router that allow its user to securely share their Wi-Fi network with other Fon members httpwwwfoncom
Tun-Tap OSX the virtual network interface for Mac OS X httptuntaposxsourceforgenet
Nullsoft Scriptable Install System (NSIS) a professional open source system to create Windows installers
httpnsissourceforgenet
NRClientX a GUI frontend for NeoRouter Network Explorer on Mac Linux and Windows
httpsourceforgenetprojectsnrclientx
User Manual
NeoRouter Inc 2010 Page 8 of 53
2 Installation
21 Check list
Here are the steps to setup a NeoRouter Virtual LAN Please refer to next few sections for detailed instructions on
your target operating systems
Server Setup
a Choose a host that meets the network requirements as NeoRouter server
b Install NeoRouter server software
c Create the first administrator if necessary
d Setup NeoRouter domain
e Configure router or firewall for port-forwarding or UPnP if necessary
Note NeoRouter Server for Windows has an install wizard that guides user through steps b c amp d
Client Setup
a Install NeoRouter client software
b Sign In Network Explorer and join this host to VLAN
c Install add-ons if necessary
License activation See Chapter 6 Licensing NeoRouter
22 Server Setup
221 Server Network Requirements
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
222 Install NeoRouter server on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
You may be prompted with a dialog box asking whether to remove user data files generated by NeoRouter
These files include database configuration and cached information If you are simply upgrading please
click ldquoNordquo to keep the files
c Launch the installation wizard choose NeoRouter Server and click the Next button
User Manual
NeoRouter Inc 2010 Page 9 of 53
d Setup a domain name that can uniquely identify your virtual LAN You will need to enter the domain name
in the log on to box during sign in
e Setup the administrator account for your domain You will need to enter the username and password during
sign in
User Manual
NeoRouter Inc 2010 Page 10 of 53
f Click the Finish button to complete installation
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter server daemon can be controlled in Services Console (servicesmsc)
223 Install NeoRouter server on Mac
a Download NeoRouter server for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrserversh
c Double-click nrserver-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click NeoRouterServermpkg to launch installer
e NeoRouter is installed under LibraryNeoRouter folder and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
224 Install NeoRouter server on Linux
a Download NeoRouter Server for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrserver
SuSE sudo rpm -e nrserver
Ubuntu and Debian sudo dpkg -r nrserver
c Install
Ubuntu amp Debian sudo dpkg -i nrserver-ltversiongt-ltreleasegti386deb
SuSE sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Redhat and Fedora sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Configure OpenSSL NeoRouter is compiled using openssl 098g If you have an older version of
Fedora please upgrade the openssl package You may also need to add the following symbol links
cd lib
ln -s libcryptoso098g libcryptoso098
ln -s libsslso098g libsslso098
d Configure firewall for NeoRouter server listening port
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 5 of 53
13 Glossary and Concepts
NeoRouter Virtual Network (VLAN) NeoRouter software connects a group of hosts from any locations into a
virtual LAN-like network that has similar attributes as a physical LAN Hosts can communicate as if they were
attached to the same broadcast domain even if they are not located on the same network switch
NeoRouter Client A host on the VLAN is called NeoRouter Client It has a virtual network adapter and is assigned
a virtual IP address
NeoRouter Server NeoRouter Server assists clients in discovering and communicating to each other It also
manages usersrsquo profiles and privileges software licenses and branding NeoRouter Clients must connect to server in
order to join the VLAN
NeoRouter Domain One NeoRouter Server and multiple NeoRouter Clients that connect to this server are
collectively called NeoRouter Domain Each domain has a globally unique name as its identification Domain names
are managed by NeoRouter Inc
NeoRouter User A NeoRouter User is a person who uses NeoRouter software and accesses hosts on a virtual
network Please note that many other VPN solutions like OpenVPN or Hamachi do not distinguish a user from a
client host NeoRouter introduces the user concept so that a user will have the experience regardless on which
computer he connects to the VLAN and admin can manage each userrsquos access privilege
NeoRouter Administrator A NeoRouter Admin is a user who can also manage the VLAN
NeoRouter Network Explorer The main application installed on a client that allows users to log into the VLAN
view the connection status of other clients and launch add-on programs to connect to remote clients It may have
graphic or command-line user interface (executable is nrclientcmd)
NeoRouter Network Explorer PortableUSB (aka Viewer) A version of the NeoRouter Network Explorer that
requires no installation It is ideal for users who need to connect from a kiosk but do not have the privilege to install
software It allows users to log in and launch add-on programs just like the regular Network Explorer But the local
computer will not join the VLAN and other clients will not be able to connect to it It also ensures no personal
information is left behind after use
NeoRouter Configuration Explorer (aka Console) An application installed on a client or a server that allows
administrators to manage a VLAN Configuration Explorer for Windows has a graphic user interface and can be
used to configure local or remote server Configuration Explorer for Mac and Linux are built into serverrsquos
command-line interface (executable is nrserver) and can configure local server only
NeoRouter Client Service A daemon program installed on a client that establishes connections to server and peer
clients It always runs in the background and ensures the connections even when the Network Explorer is not
running Most users do not need to interactive with this program directly
Access Control List (ACL) An ACL of a host specifies which users are granted or denied access to the host and
which ports are allowed Each host also has a default ACL which is used if a userrsquos privilege is not explicitly
defined in the hostrsquos ACL or if user does not sign in Network Explorer on the remote host
NeoRouter Dashboard A web-based application that allows users to manage domain information and view
domain status (httpswwwneoroutercomDashboard)
NeoRouter Dynamic Domain Name System (DDNS) To simplify user log on NeoRouter maintains domain
name public IP address and port of every NeoRouter server in a central DDNS server When user launches Network
Explorer and signs into a domain Network Explorer contacts the DDNS server translates the domain name into the
actual IP address and port and connects to the NeoRouter server
User Manual
NeoRouter Inc 2010 Page 6 of 53
14 How it works
In the NeoRouter domain shown in the above diagram three clients at different locations can establish direct P2P
connections with the help from server and can communicate to each other as if they were in the same physical LAN
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
NeoRouter client can connect from anywhere as long as it has Internet connection User can simply launch
NeoRouter Network Explorer signs in with user credential and domain name and heshe will be able to view the list
of hosts in the VLAN and launch add-on programs to access them Network Explorer uses a DDNS-like protocol to
discover and connects to the NeoRouter server (blue lines) When user executes add-on programs NeoRouter client
will establish a direct P2P connection to the requested peer client (green lines) and a secure tunnel that transfers the
network data from all the add-on programs
NeoRouter server remembers the signature of a client after its first successful connection and NeoRouter Client
Service daemon can then connect to the VLAN without requiring user to log into NeoRouter Network Explorer
This allows an untended server to always stay connected
NeoRouter clients use the STUN and STUNT methods to establish the direct P2P connections and achieve highest
connection speed These methods are widely used in P2P programs and have very high success rate If a client is
behind a symmetric NAT which is often found in large corporations these methods may fail and the connection to
this client will fall back to relay mode If the traffic between two clients is relayed through server the serverrsquos
physical location network speed and CPU load may affect the connection speed
NeoRouter uses SSLv3 (AES-256) protocol to secure the communication channel between client and server and uses
a suite of protocols (RSA 2048bit DH and AES-256) to protect P2P connections among clients This solution meets
the industryrsquos highest security standards
User can setup NeoRouter server and client on the same host NeoRouter server by itself cannot add a host into
VLAN or communicate with peer clients using their virtual IP addresses User often sets up NeoRouter client
software on the same host as server so that this host can become part of the VLAN
User Manual
NeoRouter Inc 2010 Page 7 of 53
15 System Requirements
NeoRouter client and server can be installed on
Windows (Win 7VistaXP200820032000)
Mac OSX (x86 LeopardSnow Leopard PPC Tiger)
Linux i386 and x64 (RedhatFedoraCentOS UbuntuDebian SuSE)
Linux-based router firmware (Tomato OpenWRT Kamikaze Fonera2n)
16 Acknowledgements
NeoRouter is made possible because of the following open-source projects
OpenSSL the Open Source toolkit for SSLTLS httpwwwopensslorg
OpenWrt a Linux based firmware program for embedded devices such as residential gateways and routers
httpwwwopenwrtorg
Tomato Firmware a small lean and simple replacement firmware for Broadcom-based routers
httpwwwpolarcloudcomtomato
Fon A router that allow its user to securely share their Wi-Fi network with other Fon members httpwwwfoncom
Tun-Tap OSX the virtual network interface for Mac OS X httptuntaposxsourceforgenet
Nullsoft Scriptable Install System (NSIS) a professional open source system to create Windows installers
httpnsissourceforgenet
NRClientX a GUI frontend for NeoRouter Network Explorer on Mac Linux and Windows
httpsourceforgenetprojectsnrclientx
User Manual
NeoRouter Inc 2010 Page 8 of 53
2 Installation
21 Check list
Here are the steps to setup a NeoRouter Virtual LAN Please refer to next few sections for detailed instructions on
your target operating systems
Server Setup
a Choose a host that meets the network requirements as NeoRouter server
b Install NeoRouter server software
c Create the first administrator if necessary
d Setup NeoRouter domain
e Configure router or firewall for port-forwarding or UPnP if necessary
Note NeoRouter Server for Windows has an install wizard that guides user through steps b c amp d
Client Setup
a Install NeoRouter client software
b Sign In Network Explorer and join this host to VLAN
c Install add-ons if necessary
License activation See Chapter 6 Licensing NeoRouter
22 Server Setup
221 Server Network Requirements
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
222 Install NeoRouter server on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
You may be prompted with a dialog box asking whether to remove user data files generated by NeoRouter
These files include database configuration and cached information If you are simply upgrading please
click ldquoNordquo to keep the files
c Launch the installation wizard choose NeoRouter Server and click the Next button
User Manual
NeoRouter Inc 2010 Page 9 of 53
d Setup a domain name that can uniquely identify your virtual LAN You will need to enter the domain name
in the log on to box during sign in
e Setup the administrator account for your domain You will need to enter the username and password during
sign in
User Manual
NeoRouter Inc 2010 Page 10 of 53
f Click the Finish button to complete installation
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter server daemon can be controlled in Services Console (servicesmsc)
223 Install NeoRouter server on Mac
a Download NeoRouter server for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrserversh
c Double-click nrserver-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click NeoRouterServermpkg to launch installer
e NeoRouter is installed under LibraryNeoRouter folder and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
224 Install NeoRouter server on Linux
a Download NeoRouter Server for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrserver
SuSE sudo rpm -e nrserver
Ubuntu and Debian sudo dpkg -r nrserver
c Install
Ubuntu amp Debian sudo dpkg -i nrserver-ltversiongt-ltreleasegti386deb
SuSE sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Redhat and Fedora sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Configure OpenSSL NeoRouter is compiled using openssl 098g If you have an older version of
Fedora please upgrade the openssl package You may also need to add the following symbol links
cd lib
ln -s libcryptoso098g libcryptoso098
ln -s libsslso098g libsslso098
d Configure firewall for NeoRouter server listening port
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 6 of 53
14 How it works
In the NeoRouter domain shown in the above diagram three clients at different locations can establish direct P2P
connections with the help from server and can communicate to each other as if they were in the same physical LAN
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
NeoRouter client can connect from anywhere as long as it has Internet connection User can simply launch
NeoRouter Network Explorer signs in with user credential and domain name and heshe will be able to view the list
of hosts in the VLAN and launch add-on programs to access them Network Explorer uses a DDNS-like protocol to
discover and connects to the NeoRouter server (blue lines) When user executes add-on programs NeoRouter client
will establish a direct P2P connection to the requested peer client (green lines) and a secure tunnel that transfers the
network data from all the add-on programs
NeoRouter server remembers the signature of a client after its first successful connection and NeoRouter Client
Service daemon can then connect to the VLAN without requiring user to log into NeoRouter Network Explorer
This allows an untended server to always stay connected
NeoRouter clients use the STUN and STUNT methods to establish the direct P2P connections and achieve highest
connection speed These methods are widely used in P2P programs and have very high success rate If a client is
behind a symmetric NAT which is often found in large corporations these methods may fail and the connection to
this client will fall back to relay mode If the traffic between two clients is relayed through server the serverrsquos
physical location network speed and CPU load may affect the connection speed
NeoRouter uses SSLv3 (AES-256) protocol to secure the communication channel between client and server and uses
a suite of protocols (RSA 2048bit DH and AES-256) to protect P2P connections among clients This solution meets
the industryrsquos highest security standards
User can setup NeoRouter server and client on the same host NeoRouter server by itself cannot add a host into
VLAN or communicate with peer clients using their virtual IP addresses User often sets up NeoRouter client
software on the same host as server so that this host can become part of the VLAN
User Manual
NeoRouter Inc 2010 Page 7 of 53
15 System Requirements
NeoRouter client and server can be installed on
Windows (Win 7VistaXP200820032000)
Mac OSX (x86 LeopardSnow Leopard PPC Tiger)
Linux i386 and x64 (RedhatFedoraCentOS UbuntuDebian SuSE)
Linux-based router firmware (Tomato OpenWRT Kamikaze Fonera2n)
16 Acknowledgements
NeoRouter is made possible because of the following open-source projects
OpenSSL the Open Source toolkit for SSLTLS httpwwwopensslorg
OpenWrt a Linux based firmware program for embedded devices such as residential gateways and routers
httpwwwopenwrtorg
Tomato Firmware a small lean and simple replacement firmware for Broadcom-based routers
httpwwwpolarcloudcomtomato
Fon A router that allow its user to securely share their Wi-Fi network with other Fon members httpwwwfoncom
Tun-Tap OSX the virtual network interface for Mac OS X httptuntaposxsourceforgenet
Nullsoft Scriptable Install System (NSIS) a professional open source system to create Windows installers
httpnsissourceforgenet
NRClientX a GUI frontend for NeoRouter Network Explorer on Mac Linux and Windows
httpsourceforgenetprojectsnrclientx
User Manual
NeoRouter Inc 2010 Page 8 of 53
2 Installation
21 Check list
Here are the steps to setup a NeoRouter Virtual LAN Please refer to next few sections for detailed instructions on
your target operating systems
Server Setup
a Choose a host that meets the network requirements as NeoRouter server
b Install NeoRouter server software
c Create the first administrator if necessary
d Setup NeoRouter domain
e Configure router or firewall for port-forwarding or UPnP if necessary
Note NeoRouter Server for Windows has an install wizard that guides user through steps b c amp d
Client Setup
a Install NeoRouter client software
b Sign In Network Explorer and join this host to VLAN
c Install add-ons if necessary
License activation See Chapter 6 Licensing NeoRouter
22 Server Setup
221 Server Network Requirements
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
222 Install NeoRouter server on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
You may be prompted with a dialog box asking whether to remove user data files generated by NeoRouter
These files include database configuration and cached information If you are simply upgrading please
click ldquoNordquo to keep the files
c Launch the installation wizard choose NeoRouter Server and click the Next button
User Manual
NeoRouter Inc 2010 Page 9 of 53
d Setup a domain name that can uniquely identify your virtual LAN You will need to enter the domain name
in the log on to box during sign in
e Setup the administrator account for your domain You will need to enter the username and password during
sign in
User Manual
NeoRouter Inc 2010 Page 10 of 53
f Click the Finish button to complete installation
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter server daemon can be controlled in Services Console (servicesmsc)
223 Install NeoRouter server on Mac
a Download NeoRouter server for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrserversh
c Double-click nrserver-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click NeoRouterServermpkg to launch installer
e NeoRouter is installed under LibraryNeoRouter folder and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
224 Install NeoRouter server on Linux
a Download NeoRouter Server for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrserver
SuSE sudo rpm -e nrserver
Ubuntu and Debian sudo dpkg -r nrserver
c Install
Ubuntu amp Debian sudo dpkg -i nrserver-ltversiongt-ltreleasegti386deb
SuSE sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Redhat and Fedora sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Configure OpenSSL NeoRouter is compiled using openssl 098g If you have an older version of
Fedora please upgrade the openssl package You may also need to add the following symbol links
cd lib
ln -s libcryptoso098g libcryptoso098
ln -s libsslso098g libsslso098
d Configure firewall for NeoRouter server listening port
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 7 of 53
15 System Requirements
NeoRouter client and server can be installed on
Windows (Win 7VistaXP200820032000)
Mac OSX (x86 LeopardSnow Leopard PPC Tiger)
Linux i386 and x64 (RedhatFedoraCentOS UbuntuDebian SuSE)
Linux-based router firmware (Tomato OpenWRT Kamikaze Fonera2n)
16 Acknowledgements
NeoRouter is made possible because of the following open-source projects
OpenSSL the Open Source toolkit for SSLTLS httpwwwopensslorg
OpenWrt a Linux based firmware program for embedded devices such as residential gateways and routers
httpwwwopenwrtorg
Tomato Firmware a small lean and simple replacement firmware for Broadcom-based routers
httpwwwpolarcloudcomtomato
Fon A router that allow its user to securely share their Wi-Fi network with other Fon members httpwwwfoncom
Tun-Tap OSX the virtual network interface for Mac OS X httptuntaposxsourceforgenet
Nullsoft Scriptable Install System (NSIS) a professional open source system to create Windows installers
httpnsissourceforgenet
NRClientX a GUI frontend for NeoRouter Network Explorer on Mac Linux and Windows
httpsourceforgenetprojectsnrclientx
User Manual
NeoRouter Inc 2010 Page 8 of 53
2 Installation
21 Check list
Here are the steps to setup a NeoRouter Virtual LAN Please refer to next few sections for detailed instructions on
your target operating systems
Server Setup
a Choose a host that meets the network requirements as NeoRouter server
b Install NeoRouter server software
c Create the first administrator if necessary
d Setup NeoRouter domain
e Configure router or firewall for port-forwarding or UPnP if necessary
Note NeoRouter Server for Windows has an install wizard that guides user through steps b c amp d
Client Setup
a Install NeoRouter client software
b Sign In Network Explorer and join this host to VLAN
c Install add-ons if necessary
License activation See Chapter 6 Licensing NeoRouter
22 Server Setup
221 Server Network Requirements
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
222 Install NeoRouter server on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
You may be prompted with a dialog box asking whether to remove user data files generated by NeoRouter
These files include database configuration and cached information If you are simply upgrading please
click ldquoNordquo to keep the files
c Launch the installation wizard choose NeoRouter Server and click the Next button
User Manual
NeoRouter Inc 2010 Page 9 of 53
d Setup a domain name that can uniquely identify your virtual LAN You will need to enter the domain name
in the log on to box during sign in
e Setup the administrator account for your domain You will need to enter the username and password during
sign in
User Manual
NeoRouter Inc 2010 Page 10 of 53
f Click the Finish button to complete installation
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter server daemon can be controlled in Services Console (servicesmsc)
223 Install NeoRouter server on Mac
a Download NeoRouter server for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrserversh
c Double-click nrserver-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click NeoRouterServermpkg to launch installer
e NeoRouter is installed under LibraryNeoRouter folder and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
224 Install NeoRouter server on Linux
a Download NeoRouter Server for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrserver
SuSE sudo rpm -e nrserver
Ubuntu and Debian sudo dpkg -r nrserver
c Install
Ubuntu amp Debian sudo dpkg -i nrserver-ltversiongt-ltreleasegti386deb
SuSE sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Redhat and Fedora sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Configure OpenSSL NeoRouter is compiled using openssl 098g If you have an older version of
Fedora please upgrade the openssl package You may also need to add the following symbol links
cd lib
ln -s libcryptoso098g libcryptoso098
ln -s libsslso098g libsslso098
d Configure firewall for NeoRouter server listening port
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 8 of 53
2 Installation
21 Check list
Here are the steps to setup a NeoRouter Virtual LAN Please refer to next few sections for detailed instructions on
your target operating systems
Server Setup
a Choose a host that meets the network requirements as NeoRouter server
b Install NeoRouter server software
c Create the first administrator if necessary
d Setup NeoRouter domain
e Configure router or firewall for port-forwarding or UPnP if necessary
Note NeoRouter Server for Windows has an install wizard that guides user through steps b c amp d
Client Setup
a Install NeoRouter client software
b Sign In Network Explorer and join this host to VLAN
c Install add-ons if necessary
License activation See Chapter 6 Licensing NeoRouter
22 Server Setup
221 Server Network Requirements
A NeoRouter server is usually setup on an always-on host that has stable Internet connection and a static or dynamic
public IP address If server is behind a router (or firewall) user needs to configure the router and expose the
NeoRouter server port (default to 32976) to Internet by port-forwarding or UPnP
222 Install NeoRouter server on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
You may be prompted with a dialog box asking whether to remove user data files generated by NeoRouter
These files include database configuration and cached information If you are simply upgrading please
click ldquoNordquo to keep the files
c Launch the installation wizard choose NeoRouter Server and click the Next button
User Manual
NeoRouter Inc 2010 Page 9 of 53
d Setup a domain name that can uniquely identify your virtual LAN You will need to enter the domain name
in the log on to box during sign in
e Setup the administrator account for your domain You will need to enter the username and password during
sign in
User Manual
NeoRouter Inc 2010 Page 10 of 53
f Click the Finish button to complete installation
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter server daemon can be controlled in Services Console (servicesmsc)
223 Install NeoRouter server on Mac
a Download NeoRouter server for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrserversh
c Double-click nrserver-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click NeoRouterServermpkg to launch installer
e NeoRouter is installed under LibraryNeoRouter folder and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
224 Install NeoRouter server on Linux
a Download NeoRouter Server for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrserver
SuSE sudo rpm -e nrserver
Ubuntu and Debian sudo dpkg -r nrserver
c Install
Ubuntu amp Debian sudo dpkg -i nrserver-ltversiongt-ltreleasegti386deb
SuSE sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Redhat and Fedora sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Configure OpenSSL NeoRouter is compiled using openssl 098g If you have an older version of
Fedora please upgrade the openssl package You may also need to add the following symbol links
cd lib
ln -s libcryptoso098g libcryptoso098
ln -s libsslso098g libsslso098
d Configure firewall for NeoRouter server listening port
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 9 of 53
d Setup a domain name that can uniquely identify your virtual LAN You will need to enter the domain name
in the log on to box during sign in
e Setup the administrator account for your domain You will need to enter the username and password during
sign in
User Manual
NeoRouter Inc 2010 Page 10 of 53
f Click the Finish button to complete installation
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter server daemon can be controlled in Services Console (servicesmsc)
223 Install NeoRouter server on Mac
a Download NeoRouter server for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrserversh
c Double-click nrserver-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click NeoRouterServermpkg to launch installer
e NeoRouter is installed under LibraryNeoRouter folder and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
224 Install NeoRouter server on Linux
a Download NeoRouter Server for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrserver
SuSE sudo rpm -e nrserver
Ubuntu and Debian sudo dpkg -r nrserver
c Install
Ubuntu amp Debian sudo dpkg -i nrserver-ltversiongt-ltreleasegti386deb
SuSE sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Redhat and Fedora sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Configure OpenSSL NeoRouter is compiled using openssl 098g If you have an older version of
Fedora please upgrade the openssl package You may also need to add the following symbol links
cd lib
ln -s libcryptoso098g libcryptoso098
ln -s libsslso098g libsslso098
d Configure firewall for NeoRouter server listening port
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 10 of 53
f Click the Finish button to complete installation
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter server daemon can be controlled in Services Console (servicesmsc)
223 Install NeoRouter server on Mac
a Download NeoRouter server for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrserversh
c Double-click nrserver-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click NeoRouterServermpkg to launch installer
e NeoRouter is installed under LibraryNeoRouter folder and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
224 Install NeoRouter server on Linux
a Download NeoRouter Server for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrserver
SuSE sudo rpm -e nrserver
Ubuntu and Debian sudo dpkg -r nrserver
c Install
Ubuntu amp Debian sudo dpkg -i nrserver-ltversiongt-ltreleasegti386deb
SuSE sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Redhat and Fedora sudo rpm -i nrserver-ltversiongt-ltreleasegti386rpm
Configure OpenSSL NeoRouter is compiled using openssl 098g If you have an older version of
Fedora please upgrade the openssl package You may also need to add the following symbol links
cd lib
ln -s libcryptoso098g libcryptoso098
ln -s libsslso098g libsslso098
d Configure firewall for NeoRouter server listening port
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 11 of 53
Redhat and Fedora In a terminal run command sudo nano etcsysconfigiptables add -A INPUT -m
state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT before COMMIT
SuSE Launch firewall configuration tool choose Allowed Services in the left panel choose External
Zone in the first drop-down box choose NeoRouter server in the second drop-down box click Add
button click Next click Finish to save the changes
Ubuntu does not support firewall by default If you setup any firewall please open NeoRouter server port
(32976 by default)
e NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
225 Install NeoRouter Server on OpenWRT Kamikaze
a Connect to the router using ssh
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrserver
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrserver_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for the NeoRouter server listening port
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp --dport 32976 -j ACCEPT
iptables -A input_wan -p tcp --dport 32976 -j ACCEPT
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
226 Install NeoRouter Server on Tomato
a Download NeoRouter Server for Tomato It is a custom build of the full tomato firmware in TRX format
b Flash your router with the downloaded firmware See httpenwikibooksorgwikiTomato_(firmware) for
instructions
c In tomato UI ndash Administration ndash Jffs2 enable jffs and format if needed
d In tomato UI ndash Administration ndash scripts ndash WAN up add usrbinnrserversh start
e Reboot router
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
g Troubleshoot If you have trouble signing into NeoRouter Network Explorer from a remote client please
try DISABLE the Inbound Connection Logging In tomato UI - Status - Logs - Logging Configuration
disable Inbound Connection
227 Install NeoRouter Server on Fonera 20 N
a Download the NeoRouter Server for Fonera 20N (FON Plugin) package
b Open browser and log on to Fonera router web interface By default it is http192168101
c Navigate to Dashboard gtgt Applications
d If you have installed an earlier version of NeoRouter please uninstall it choose NeoRouter and click on the
ldquoXrdquo button to remove it
e Make sure there is more than 13MB free space left on the device
f Click the Browse button and choose the NeoRouter package then click the Upgrade button
g The installation will complete in a few seconds and the webpage will refresh automatically Do not
interrupt your browser during installation
h Please verify that NeoRouter icon shows up in the applications list and dashboard
i NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 12 of 53
228 Create first administrator account
On Windows the install wizard will guide user to create the administrator
On non-Windows platforms NeoRouter can defer the authentication to the OS So user can sign in NeoRouter
using the same username and password as heshe logs into OS An exception is that if userrsquos OS account does
not have a password NeoRouter will not allow heshe to log in In this case user must create the first
administrator account using nrserver CLI ldquonrserver -adduser ltusernamegt ltpasswordgt [admin|user]rdquo On Mac
nrserver is located under ldquoLibraryNeoRouterrdquo
229 Setup NeoRouter domain
This step is only necessary on non-Windows platforms because Windows install wizard does this
automatically
a Launch web browser navigate to Dashboard CreateDomain page
httpswwwneoroutercomDashboardCreateDomainaspx fill the form and click Save
b Open a terminal on the server host and execute ldquonrserver -setdomain ltdomain namegt ltdomain
passwordgtrdquo On Mac nrserver is located under ldquoLibraryNeoRouterrdquo
2210 Port forwarding
This step is only necessary if your server host is behind a router or firewall We need to expose the NeoRouter
server port to Internet so server can accept incoming connections from the NeoRouter clients If you are using
NeoRouter in-a-box version and your router is directly connected to the cableDSL modem this step is
unnecessary
a Assign the server host a static LAN IP address
b Add ltserver host IP port 32976gt to Port Forwarding list NeoRouter server listens at port 32976 by default
and admin can change the port number using Configuration Explorer or nrserver CLI
Another option is to expose the NeoRouter server port is by UPnP This is only supported on Windows
a Enable UPnP in your router or firewall
b Launch Configuration Explorer on the server host click on ldquoSettingsrdquo tab and change ldquoserver NAT
settingrdquo to ldquoEnable UPnPrdquo
c Click the ldquoRestartrdquo button to restart server daemon
23 Client Setup
231 Install NeoRouter Client on Windows
a Download NeoRouter installation package for Windows NeoRouter server and client for Windows share
the same installation package
If you are installing on Windows 2000 please download the special package for this OS
b If you have installed an earlier version of NeoRouter please uninstall it using Windows Add or Remove
Program tool
c Run the installation wizard choose NeoRouter Client and click the Next button
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 13 of 53
d On Vista or Win7 you may be prompted with a security warning because NeoRouter installs a virtual
network adapter Please allow the installer to proceed
e Follow the wizard to complete installation
f NeoRouter Network Explorer and Configuration Explorer are added to Windows Start menu
g NeoRouter is installed under ldquoProgram FilesZebraNetworkSystemsNeoRouterrdquo and user data is stored
under ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterrdquo
h NeoRouter client service daemon can be controlled in Services Console (servicesmsc)
232 Install NeoRouter Client on Mac
a Download NeoRouter client for Mac
b If you have installed an earlier version of NeoRouter please uninstall it In a terminal execute command
sudo LibraryNeoRouterrmnrclientsh
c Double-click nrclient-ltversiongt-ltreleasegtdmg to open the disk image in Finder
d Double-click tuntap-ltversiongtpkg to install virtual network interface kernel extension
e Double-click NeoRouterClientmpkg to install NeoRouter client
f On Leopard or above NeoRouter Network Explorer is installed to the Applications folder
g On PPC Tiger a shortcut (nrclientcmd) is created on the Desktop and double-click it will launch Network
Explorer CLI
h NeoRouter is installed under ApplicationsNeoRouterapp and LibraryNeoRouter folder and user data is
stored under usrlocalZebraNetworkSystemsNeoRouter
233 Install NeoRouter Client on Linux
a Download NeoRouter Client for your Linux distribution
b If you have installed an earlier version of NeoRouter please uninstall it
Redhat and Fedora sudo rpm -e nrclient
SuSE sudo rpm -e nrclient
Ubuntu and Debian sudo dpkg -r nrclient
c Install
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 14 of 53
RedHat and Fedora sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
SuSE sudo rpm -i nrclient-ltversiongt-ltreleasegti386rpm
Ubuntu and Debian sudo dpkg -i nrclient-ltversiongt-ltreleasegti386deb
d Configure firewall for P2P connection (Optional)
Establishing direct P2P connection on Linux requires user to disable firewall Otherwise all connections to
this client will be relayed via server User must evaluate the trade-offs between performance and security
If this client is always physically located inside a trusted network like office or home LAN we recommend
disabling firewall and allow P2P connection If this client is physically located in an un-trusted network
like airport or coffee shop we recommend enabling firewall and relay all traffic via server
e Run usrbinnrclientcmd to launch Network Explorer CLI
f NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
234 Install NeoRouter Client on OpenWRT Kamikaze
a Connect to the router using ssh or telnet
b Update available install packages using command opkg update
c If you have installed an earlier version of NeoRouter please uninstall it opkg uninstall nrclient
d Install opkg install httpwwwneoroutercomDownloadsKamikazenrclient_ltversiongt-
ltreleasegt_mipselipk
e Configure firewall for P2P connection (Optional)
Please read NeoRouter client installation instructions for Linux and evaluate the trade-off between
performance and security If you decide to turn off firewall here is the instruction
edit etcfirewalluser and add the following
iptables -t nat -A prerouting_wan -p tcp -j ACCEPT
iptables -A input_wan -p tcp -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -j ACCEPT
iptables -A input_wan -p udp -j ACCEPT
f Run usrbinnrclientcmd to launch Network Explorer CLI
g NeoRouter is installed under usrbin and user data is stored under
usrlocalZebraNetworkSystemsNeoRouter
h Turn your router into a file or backup server (Optional)
If your router has 8MB or more flash there should be enough space left for other packages You can enable
USB storage and Samba server and turn your router into a file server Or you can install rsync and turn it
into a backup server NeoRouters remote access and VPN service will allow you to securely access the
files from anywhere This solution is a lot cheaper than Small Business server or Windows Home server
Enable USB Storage httpnuwikiopenwrtorgoldwikiusbstoragehowto
Install Samba httpwikiopenwrtorgoldwikisambahowto
Install rsync httpoldwikiopenwrtorgrsync(2d)usb(2d)sambaHowTohtml
235 Install NeoRouter Client on Fonera 20N
a As Fonera 20N does not provide enough flash memory to install the NeoRouter client package we can run
it from a USB drive Another option is to flash the router with OpenWrt Kamikaze
b Download NeoRouter Client for Fonera 20N package
c Copy the package to a USB drive plug the USB drive to the FON router
d Connect to router using ssh
e Extract files tar zxvf nrclient-0991528-fon2n-mipseltgz
f If you didnt install the NeoRouter server plugin for FON please run the following commands Otherwise
you can skip this step
cp libuClibc++-022so usrliblibuClibc++-022so
ln -s usrliblibuClibc++-022so usrliblibuClibc++so0
g Setup NeoRouter Client
mkdir usrlocalZebraNetworkSystemsNeoRouter
run ldquonrservice amprdquo to launch the client service in the background
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 15 of 53
run nrclientcmd to launch the Network Explorer CLI
h Disable firewall if you would like to establish direct P2P connection to this client
i Use the following steps to run client service automatically
vi usrbinnrcronclient and enter
binsh
if [ -z $(ps | grep nrservice | grep -v grep) ] then
usrbinnrservice gtdevnull amp
fi
exit 0
chmod 755 usrbinnrcronclient
Add a new entry to fonstate
etcinitdfonstate stop
vi etcconfigfonstate and enter
config fontimer
option action usrbinnrcronclient
option period 30
etcinitdfonstate start
3 Network Explorer
31 Launch and Sign In
a On Windows launch NeoRouter Network Explorer from Windows Start Menu | All Programs | NeoRouter
| NeoRouter Network Explorer
On Mac Leopard or above launch NeoRouter Network Explorer from Applications folder You can also
pin NeoRouter to the dock
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 16 of 53
b Enter user credential
- If NeoRouter server is installed on Windows please use the administrator account created during
server setup
- If NeoRouter server is installed on other platforms NeoRouter can defer the authentication to the
operating system so user can sign in using the same username and password as heshe logs into OS
- User can also use the additional accounts created in Configuration Explorer or server CLI
- If you are invited to a NeoRouter domain please contact the administrator for your account
information
c In the Log on to field enter the domain name you have chosen during server setup Alternatively you can
enter the serverrsquos IP address or computer name You can also enter localhost if the Network Explorer is
on the same host as the server
d If the client host is behind proxy please choose Menu ldquoFile | Connectionsrdquo to bring up the Connection
Options dialog click Proxy Setting tab and then set proxy information
e Click the Sign In button
32 Computer List
The computer list is your view of the VLAN You can add any computer in your VLAN to this list and organize
according to your preference You will always have the same list regardless where you sign in from Each user will
have hisher separate list
Initially you will see an empty computer list after signing in for the very first time (see the left picture below) To
add a computer you can choose the menu Computers | Add a computer and then select the computer and category
in the dialog Once complete your computer list will be updated (see the right picture below)
You can use categories to help manage a long list of computers To create a category you can choose menu
Computers | Create a category To move a computer to a different category you can simply drag and drop
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 17 of 53
Starting in release v098 the computer list shows the OS type icons next to a computer name If a computer is
online its icon is colourful and its name is bold If a computer is offline its icon is grey and its name is not bold
33 Add-on Add-ons extend NeoRouter Network Explorer and let you perform additional tasks over the virtual network
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 18 of 53
331 Add-on launch pad
If you click on a computer in the computer list a popup dialog will display a list of actions you can take to remotely
control and access this computer This dialog is called the add-on launch pad
Screenshots on Windows
Screenshot on Mac
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 19 of 53
NeoRouter Network Explorer has a few system default add-ons If a computer is online the following add-ons are
available
Icon Action
remote desktop connection
file sharing
ICMP ping
copy the IP address
If a computer is offline the following add-ons are supported
Icon Action
remote wakeup (WOL)
Note on remote wakeup NeoRouter server can send the Magic packet and wake up hosts that are WOL enabled If
the NeoRouter server is installed on a router remote wakeup works for hosts directly attached to this router If
server is installed on Windows Linux or Mac remote wakeup works for hosts in the same physical LAN To enable
WOL you may need to change BIOS and OS settings
332 Manage Add-ons (Windows)
You can download additional add-ons from the NeoRouter download website
(httpwwwneoroutercomaddonsindexhtml) and install them using the Add-on Manager Here we use UltraVNC
as an example to explain the setup process
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those
installed by user
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 20 of 53
c To find more add-ons click on the Add-ons Gallery link at the bottom of the dialog or visit
httpwwwneoroutercomaddonsindexhtml in your web browser Download the add-on (nri) file to
your computer
d In the Add-ons Manager dialog click on Install button locate the nri file you just downloaded and
click Open to install the add-on
e Some add-ons including UltraVNC may require user to restart the NeoRouter Network Explorer to
complete the installation In such case you will see the following message box You can exit NeoRouter
Network Explorer by right click its icon in system tray and choose exit
f After installation you will see the new add-ons show up in the list
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 21 of 53
g When you re-launch NeoRouter Network Explorer UltraVNC server will be started automatically If you
have not run UltraVNC server before you will see the following firewall warning and VNC configuration
dialog
h Please click the unblock button when you see the following dialog
Please enter VNC password then click the Ok button
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 22 of 53
i Repeat the above steps on the remote computer that you plan to access
j To launch VNC viewer and access the remote computer choose the computer in the computer list and
click VNC viewer icon in the launch pad
333 Manage Add-ons (Mac)
a Launch NeoRouter Network Explorer choose menu File - Add-ons
b The Add-ons Manager dialog lists all the existing add-ons including system default ones and those added
by user
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 23 of 53
c An add-on is essentially an apple script with NeoRouter parameters Here are some examples
Name Script
Copy IP set the clipboard to $NRIPAddress
Ping tell application Terminal to do script ping $NRIPAddress
Shared Folder tell application Finder to open location smb$NRIPAddress
Variables $NRIPAddress and $NRComputerName will be replaced with the IP and name of the selected
computer before the add-on is executed
d You can also create new add-ons or edit existing ones using the Add-On Properties dialog
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 24 of 53
e To learn more about Apple Script please visit the following websites
httpenwikipediaorgwikiAppleScript
httpdeveloperapplecommaclibrarydocumentationAppleScriptConceptualAppleScriptXAp
pleScriptXhtml
34 Connection Options Connection Options dialog can be opened from Network Explorer menu ldquoFile | Connectionrdquo
341 P2P Connection This option allows user to specify the connection type between this computer and its peers The default option is
UDP User can also use direct TCP connection or relay traffic through NeoRouter server
342 Proxy Setting If the client host is behind proxy user can enter the proxy information here
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 25 of 53
343 Server Local Address This option can be used to work around the connectivity issue when NeoRouter server is behind a router that does
not support hairpin
A router supports hairpin if it allows a host behind it to send network messages to its public-facing interface
Unfortunately some popular routers do not support this feature or turn off this feature by default
When user logs into NeoRouter Network Explorer first translates domain name into routerrsquos public address using
the NeoRouter DDNS service and then tries to connect to server using this address If both NeoRouter server and
client are behind the same router and the router does not support hairpin the router will block the messages that
client sends to the routerrsquos public address thus client fails to establish connection to server User could work around
this issue by entering serverrsquos LAN IP address instead of domain name in the ldquolog on tordquo box but this can be a
hassle for laptop users who frequently move between networks
These users can choose the second option ldquoConnect to server using its local address when possiblerdquo in the following
dialog and enter serverrsquos local address NeoRouter Network Explorer can detect when client and server are behind
the same router and automatically choose the specified local address to establish the connection to server
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 26 of 53
35 Multi-Language
Multi-Language support allows you to change the default language displayed in Network Explorer NeoRouter
Portable and Configuration Explorer
351 Install a language resource file
NeoRouter applications support 34 languages and English is the default To install a new language you can
download the language resource files from
httpwwwneoroutercomwikiindexphpNeoRouterWikiMultilanguage and place them under the translation
folder Then the application will load them and list all available languages in the Language menu You can switch
language in the menu and the application will refresh its UI with the new language
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterTranslationrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterTranslationrdquo
For NeoRouter PortableUSB the language resource file should be placed under Translations folder next to
application
352 Language resource file format
The file name should have the following format [Appliation Name] can be NRClient NRViewer and NRConsole
[LangCd] is the short language code
[Application name]Resource[LangCd][xml|dll]
For example Simplified Chinese version has the following files NRClientResourceZhCnxml for Network
Explorer NRConsoleResourceZhCnxml for Configuration Explorer and NRViewerResourceZhCnxml for
NeoRouter Portable
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 27 of 53
Each resource file is an xml that contains all the strings defined in the NeoRouter applications The file is encoded in
ANSI The content should be in the format
ltxml version=10 encoding=windows-1252gt
ltresource CompactMode=1 Language=English (United States) LANGID=1033
version=09101650gt
ltstring id=100 value=OLE initialization failed Make sure that the OLE libraries are
the correct versiongt
ltresourcegt
Encoding (=windows-1252) Language(=English (United States)) and LANGID(=1033) are used to control
the translation version=09101650 is resource file version number introduced in v0910 The resource file can
be recognized properly only when these parameters are set properly
353 Multi-Language support for Add-ons
The names and descriptions of the add-ons can be translated to other languages as well You can download the add-
on configuration file from NeoRouter website and overwrite the following file
AllUserAppDataZebraNetworkSystemsNeoRouterAddOnsAddOnxml
36 Skin
Skin allows you to further customize the user interfaces of Network Explorer NeoRouter Portable and
Configuration Explorer
To install a new skin you can download the skin resource file from
httpwwwneoroutercomwikiindexphpNeoRouterWikiSkin and place them under the skin folder
For NeoRouter Network Explorer and Configuration Explorer the language resource files should be placed under
one of the following folders
ldquoProgram FilesZebraNetworkSystemsNeoRouterSkinrdquo
ldquoAllUsersAppdataZebraNetworkSystemsNeoRouterSkinrdquo
For NeoRouter PortableUSB the language resource file should be placed under Skin folder next to executable
To change default skin you need to modify (or create if not exists)
AllUserAppDataZebraNetworkSystemsNeoRouterFeatureini file and add the following
[Default]
SkinName=xxxxstyles
SkinStyle=xxxxini
37 Network Explorer CLI
NeoRouter Network Explorer Command Line Interface (CLI) allows user to sign in manage the computer list and
view computer status Below are the screenshots on Mac and Ubuntu Linux
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 28 of 53
371 Launch CLI
Usage nrclientcmd [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-setproxy] [-setconn] [-dbroot DBROOT]
[-internal] [--help]
To launch Network Explorer CLI you can simply run nrclientcmd in a terminal without parameters Mac users can
simply double-click on the nrclientcmd shortcut on the Desktop You will be prompted for domain name and user
credential
If you need to launch nrclientcmd in a startup script you can also provide domain name or credential in the
command line arguments
If the client host is behind a proxy you can use ndashsetproxy option The proxy information will be stored in the
configuration file and nrclientcmd will respect this setting subsequently
There are also a few advance options
- setconn allow user to specify client-to-client connection type
- dbroot allow user to specify the location to store user data
- internal nrclientcmd will generate tags between information sections This option can be used by third
party developers to create a UI wrapper for CLI
372 Computer List in CLI
After signing in you will see your computer list just like on Windows The computer list will automatically update
if there are any changes in your virtual LAN eg a host comes online or offline
At the bottom of the screen lists the available commands you can use to manage the computer list change password
remotely wake up a computer or to quit
38 Network Explorer Portable
NeoRouter Network Explorer Portable can run from any computer without installation It does not require
administrator permission or use the virtual network adapter This application can be extremely useful for users who
need to connect to the VLAN from a public kiosk or from friendrsquos house
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 29 of 53
Note Prior to v111 Portable and USB are two separate packages They are merged into one package in v111 and
later releases The new package is a zip file containing both the portable client and the USB Auto Run Configuration
Tool The functionalities are same as before
381 Network Explorer Portable
To use Network Explorer Portable client user can simply download it from NeoRouter download website and run
Then user will see the same user interface as the regular Network Explorer The user experience is almost the same
except for the following
The host running PortableUSB client cannot be added to the computer list or be accessed by remote computer
You can think of it as a ldquoviewer of the VLANrdquo
NeoRouter administrator users can see and manage hosts running PortableUSB clients in the Configuration
Explorer
382 Auto Run Configuration for USB
Auto Run Configuration Tool allows user to store the portable client add-ons and configuration on a USB drive
You can even configure it to launch and sign in automatically when the USB drive is plugged into a computer and to
sign out and exit when the USB drive is unplugged
Here are the steps for setting up the USB package
a Download NeoRouter for USB
b Unzip the package to any folder For example CTEMP
c Launch the ldquoAuto Run Configuration Toolrdquo (AutoRunCfgexe)
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 30 of 53
d Click on the ldquohelliprdquo button next to the working directory text box and specify a working path If the target
USB drive is plugged in you can specify the USB drive root path as the working directory Or you can
specify a temporary path (eg CTEMPUSB) and copy the files to your USB driver later
e Once you specify a working directory the Settings section will be enabled
f Choose CliViewerexe from the same install zip package as the Target file
g Check the Sign in checkbox and enter the domain name and user information to log into your NeoRouter
VLAN
h Setup the proxy information if necessary
i If you want to import a NeoRouter add-on click on the button on the right side of the Add-on file text
box and specify an add-on nri file
j If you want to run an application automatically after signing in click on the Run application
automatically check box and input an executable file path and parameters
k If you want to hide the NeoRouter Viewer window click on the Minimize NeoRouter window when
started
l Click on Save button to save the configuration files It will generate the following files under the working
directory
- Autoruninf
- CliViewerexe copied from the target file
- NRAutoRunxml
- [add-on file]nri if you specify an add-on
- Proxyxml if you specify a proxy
m You will also see the following dialog if the configuration was successful Then please copy all files and
sub-folder under the working directory to the root of your USB drive And the USB drive is ready to use
39 Change Password
A user can change hisher password in NeoRouter Network Explorer User must sign in the Network Explorer using
old password then choose menu ldquoFile | Change Passwordrdquo then enter the new password in the dialog
Network Explorer CLI has similar functionality After signing in user can use ndashchangepassword command to enter
new password
If a user loses the old password an administrator can create a new password for himher using the Configuration
Explorer User Management tool
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 31 of 53
4 Configuration Explorer
NeoRouter Configuration Explorer is a Windows application that allows an administrator to manage local or remote
NeoRouter server This is the recommended method to change server settings
If user does not have a Windows computer nrserver CLI can be used to perform most configurations
41 Launch and Sign In
Note Only administrators can sign in Configuration Explorer
a User can launch it from Windows Start Menu | All Programs | NeoRouter | NeoRouter Network Explorer
or from NeoRouter Network Explorer menu ldquoFile | Optionsrdquo
b After launch user will see a sign-in dialog that is similar to the Network Explorer counterpart Please enter
domain name and user credential to sign in If the local host is behind a proxy please click on Connection
button to set proxy information
c After sign in the following general information page will be displayed
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 32 of 53
42 Managing Users
In the User Accounts page you can perform the following tasks
- View existing users The users list can be sorted by any column
- Add a new user admin will create a temporary password for the new user and user can change the
password in Network Explorer
- Edit user information you can enter anything like employer contact info etc
- Set userrsquos password If a user loses password admin can set a temporary password for himher Then user
can change the password again in Network Explorer
- Disable (block) a user A disabled user will not be able to sign in Network Explorer or Configuration
Explorer The userrsquos profile and ACL settings are retained
- Delete a user all information of this user is deleted
- View the computers that are visible to this user (see ACL section for details)
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 33 of 53
43 Managing Computers
In the Computers page you can perform the following tasks
- View existing computers please note that the Type column will show ldquoTemporaryrdquo for Network Explore
PortableUSB clients and ldquoPermanentrdquo for regular clients The computer list can be sorted by any column
- Edit a computerrsquos alias When a computer is added to the virtual network NeoRouter reads the computer
name from the OS and displays it in the computer list If you prefer a different name you can create an
alias which will then be used in the computer list
- Edit a computerrsquos description you can enter anything like computer owner location asset id etc
- Edit ACL this will be discussed in next section
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 34 of 53
44 Access Control List
This feature is available in NeoRouter Profession Edition only
441 Overview
The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports
are allowed Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels
For example Joe uses NeoRouter to manage the office network at his small business He wants to share some
documents on a file server with a customer but block this customer from accessing other services on this file server
and other computers at office At the same time Joe and his coworkers should continue to have full access to all
computers
This can be a daunting task with traditional VPN solutions Once Joersquos customer is connected into the office
network heshe can access all network resources just like Joe and his coworkers If the office uses a domain
controller it can help mitigate the threat but Joe would have to check all the computers to ensure they are secure
Some coworkers can make innocent mistakes and share important files or internal websites with ldquoeveryonerdquo With
NeoRouter Joe can manage all the access control at one place and easily solve this challenge
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 35 of 53
ACL defines the relationships between users and computers that can be conceptually represented using a table In
Joersquos case he needs to define the ACL as follows
Default User Joe (Admin) Customer Joersquo Co-workers
Default Computer ACL Block all
File Server Allow all Allow file sharing
block other services
Office Computer A Allow all Block all
Office Computer B Allow all Block all
Joersquos laptop Allow all Block all
Customerrsquos Computer
Letrsquos first look at the row for File Server Joersquos customer will only have access to the files sharing service There is
no ACL defined for Joe and his co-workers so the ACL for Default User is effective and they have full access
Similarly the customer will be blocked from accessing office computer A and B as well as Joersquos laptop while Joe
and his coworkers have full access to these computers
When the customer connects to Joersquos NeoRouter domain his computer will be added to the domain Because the
ACL for this computer is undefined it will have the same ACL as ldquoDefault Computerrdquo Thus the customerrsquos
computer will block all users including Joe from accessing it The customer has physical access to his own
computer
442 Define Computer ACL
You can think of a computerrsquos ACL as a row in the above ACL table An admin can select any computer in the
computer list and edit its ACL If a group of computers share the same ACL admin can copy ACL from one
computer to another
To edit the Default Computer ACL you can click on the ldquoEdit Default ACLrdquo button in the tool bar
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 36 of 53
443 Define ACL entry
An ACL entry defines the relationship between one user and one computer You can think of it as a cell in the above
table To edit an ACL entry you can select the computer in the computer list click Edit ACL in the tool bar and
then select the user in the User List in the following dialog If the user does not exist in the list you can click Add
button and add himher
There are 4 types of ACL entries
Undefined the relationship between the user and the computer is not explicitly defined The user does not
show up in the User List of the ACL In this case the Default User ACL entry for this computer will be
effective
Block All the computer is invisible to the user User cannot add the computer to hisher computer list in
Network Explorer or connect to it
Note admin can view the list of computers that is visible to a specific user Click on the User Accounts tab
choose the user and then click on the ldquoUser Computer Listrdquo button from tool bar
Firewall On User can only access the services in the exceptions list provided by the computer
Firewall Off User can access all services provided by the computer
To define the Default User ACL entry for a computer choose Default User from User List If several users have the
same trust level admin can copy the ACL entry from one user to another using the ldquoCopy Fromrdquo button
444 How Firewall Works
NeoRouter Client Service daemon has a built-in firewall that monitors traffic in the virtual network The firewall
downloads the ACL from server and uses it to allow or deny incoming connections in the virtual network
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 37 of 53
When a remote computer establishes a direct P2P or relayed connection to local host it also informs which user has
signed into the Network Explorer on the remote computer Then the local hostrsquos firewall will use the user id to
choose the appropriate ACL entry and control the virtual network traffic between these two computers If user does
not sign in Network Explorer on the remote computer the Default User ACL entry is used
As a result NeoRouter firewall can control a userrsquos access to a network resource (a computer or a service on a
computer) based on the ACL
445 Example hub-and-spoke
Jeffrsquos company has three business partners A B and C Jeff needs to setup bidirectional network connections with
each partner but these partners should be invisible to each other Jeff setup a NeoRouter domain and invited the
partners to Then Jeff creates the following ACL to achieve his access control goals
Default User Jeff (Admin) Partner A Partner B Partner C
Default Computer ACL Block all Allow all
Jeffrsquos Computer 1 (Hub 1) Allow all
Jeffrsquos Computer 2 (Hub 2) Allow all
Partner Arsquos Computer
Partner Brsquos computer
Partner Crsquos computer
Every user will have access to Jeffrsquos two computers (hub) because they have Default User ACL entry as ldquoAllow
allrdquo Partner Arsquos computer does not have a specific ACL defined so the Default Computer ACL is effective The
Default Computer ACL grants Jeff access to Partner Arsquos computer but make the computer invisible to Partner B and
C Partner A have physical access to his own computer
446 Example one-way access
Jasonrsquos company provide technical support for customer A Jason needs to have one-way access to Customer Arsquos
computer but block Customer A from accessing Jasonrsquos computer Jason sets up the following ACL for his domain
and invites Customer A to join his domain Jason can access all the computers in the domain while Customer A can
access none except for his own
One day Jason visits another Customer Brsquos office He installs NeoRouter client on Customer Brsquos computer so that he
can provide technical support remotely in the future When he signs into Network Explorer he makes sure to
uncheck ldquoremember my passwordrdquo checkbox When he leaves customer Brsquos office he exits the Network Explorer
Because Network Explorer is not running on Customer Brsquos computer the Default User ACL governs the
connections from Customer Brsquos computer to other computers in the VLAN Thus Customer B does not have access
to any computers except for his own When Jason goes back to his office he can connect to Customer Brsquos computer
remotely and provide customer support
The difference between Customer A and B is that Customer A has a NeoRouter user account while Customer B does
not The result is that Jason has access to all three computers while Customer A or B can only access hisher own
computer
Default User Jason (Admin) Customer A
Default Computer ACL Block all Allow all
Jasonrsquos Computer
Customer Arsquos Computer
Customer Brsquos Computer
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 38 of 53
45 Managing Server and Domain
In the Settings page you can perform the following tasks
- Change domain name User should have setup a domain during the server installation If you decide to
change the domain name you can create a new domain at NeoRouter Dashboard website and then use
Configuration Explorer to switch the server to new domain
- Change Listen Port this is discussed in the Advanced Configuration chapter
- Change NAT setting this is discussed in the Server Installation chapter
- Change DHCP this is discussed in the Advanced Configuration chapter
Please restart the NeoRouter server daemon after changes
46 Branding
This feature is available in NeoRouter Profession Edition only
Admin can customize the logo on the sign-in page NeoRouter Network Explorer and the banner below the computer
list The customization page of the Configuration Explorer allows user to make these changes The changes will be
effective next time user signs into the Network Explorer
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 39 of 53
a Logo format custom logo can be JPG JPEG BMP or GIF files The Logo will be displayed in 180 80
pixels and the file will be automatically resized to fit The color of the pixel at (0 0) will be used as the
transparent color
b Banner format custom banner can be JPG JPEG BMP or GIF files The banner will be displayed in
190 42 pixels and the file will be automatically resized to fit
c When user clicks on the banner Network Explorer will launch a web browser and navigate to the link
specified in the ldquoBanner Linkrdquo box The banner link should be a valid URL that begins with http eg
httpwwwgooglecom
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 40 of 53
47 Server Configuration CLI
Another way to configure the NeoRouter server is to use nrserverrsquos CLI If user does not have a Windows computer
with Configuration Explorer this tool can be used to set most configurations
Usage nrserver [options]
-run [--dbroot ltDBROOTgt]]
-showsettings
-setdomain ltDOMAINNAMEgt ltDOMAINPASSWORDgt
-setport ltPORTgt
-dhcp ltSUBNETgt ltNETMASKgt
-showusers
-adduser ltUSERNAMEgt ltPASSWORDgt [admin|user]
-setpassword ltUSERNAMEgt ltNEW PASSWORDgt
-setrole ltUSERNAMEgt [admin|user]
-enableuser ltUSERNAMEgt
-disableuser ltUSERNAMEgt
-deleteuser ltUSERNAMEgt
-showcomputers
-deletecomputer COMPUTERNAME
-setalias COMPUTERNAME ALIAS
-help
5 Advanced Configuration
51 Change Server Port
By default NeoRouter server listens at TCP port 32976 for incoming client connections User can change the
listening port to any valid number between 1 and 65534
a Launch Configuration Explorer sign in and open the Settings tab
b Click on ldquoChange Portrdquo button input the new listening port and click ldquoOkrdquo to save the settings
c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server
d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 41 of 53
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
- Since the listening port has been changed all NeoRouter clients connected to the server will be
disconnected and have to reconnect to the server
52 Change DHCP NeoRouter server acts as a DHCP server to allocate the virtual IP address when a NeoRouter client connects to it By default the base IP address is 100002552552550 User can change the base IP address to any valid network IP address to meet the specific requirements
a Run Configuration Explorer sign in and open the ldquoSettingsrdquo tab b Click on ldquoChange DHCPrdquo button input the new IP address and netmask and then click ldquoOkrdquo to save the
settings c If the NeoRouter Server is running on the same computer user will be prompted for restarting the
NeoRouter Server d If the NeoRouter Server is running on a different computer or device user needs to restart the server
manually
Note
- The new settings will not take effect until the NeoRouter server stops and restarts
53 Network Bridge
531 Overview NeoRouter (v099 or later) supports the Network Bridge feature which uses two very different means for
interconnecting networks routing and bridging Once the feature is enabled the ACL feature will be disabled
automatically as we cannot control the packets from the external networks anymore and may cause security issues if
its not setup properly So this is an advanced feature for the users who know about it every well
Routing - refers to the interconnection of separate and independent sub-networks (subnets) which have non-
overlapping ranges of IP addresses Upon receiving a packet sent to it a network router examines the
destination IP address to determine which of several connected networks should receive it after which that packet
is forwarded to the proper network
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 42 of 53
Bridging - by comparison is much simpler A network bridge is simply an electrical interconnection between
separate physical networks that are all carrying the same ranges of IP addresses Standard dumb network hubs
and switches are examples of network bridges With a hub packets arriving at any port are bridged and sent
out to every other port A switch is a bit smarter since it is able to adaptively learn which network interface cards
(NICs) are attached to which ports But a switch is still interconnecting network segments carrying the same
ranges of IP addresses
532 Routing vs Bridging Although routed connections are the most common and straightforward to configure they suffer from significant
operational limitations By comparison bridged connections are generally much trickier to configure and are not
even natively available under all operating systems so they are not the default connection type But when bridging
is properly setup it correctly does everything that we want
Bridging and routing are functionally very similar with the major difference being that a routed VPN will not pass
IP broadcasts while a bridged VPN will
Routing advantages
Efficiency and scalability
Allows better tuning of MTU for efficiency
Routing disadvantages
Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work
Routes must be set up linking each subnet
Software that depends on broadcasts will not see machines on the other side of the VPN
Works only with IPv4 in general and IPv6 in cases where tuntap drivers on both ends of the connection
support it explicitly
Bridging advantages
Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows
NetBIOS file sharing and network neighborhood browsing to work
No route statements to configure
Works with any protocol that can function over ethernet
Relatively easy-to-configure solution for road warriors
Bridging disadvantages
Less efficient than routing and does not scale well
533 Setup Network Bridge With either bridging mode or routing mode one can create point-to-site VPN site-to-site VPN or even multiple site-
to-site networks Once a network structure is well designed one can use Featureini file to control NeoRouter client
service to implement it
The file Featureini is located in the main configuration folder which can be various for different OS
On Windows Xp
XDocuments and SettingsAll UsersApplication DataZebraNetworkSystemsNeoRouter
On Vista+
XUsersAll UsersZebraNetworkSystemsNeoRouter
On Linux and Mac OSX
usrlocalZebraNetworkSystemsNeoRouter
On in-a-box
jffs
If it does not exist please create one
The only thing to do is define the parameters in the Featureini file
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 43 of 53
NetworkBridge=1
LANSegment parameter
This is a set of parameters used for mapping the external IP address or IP range to a virtual IP address so that
NeoRouter can route the packets to the proper tunnel Its defined in the following format
LANSegment[index]=[IP|IP range|segment]VIP
[index] - number start from 1 for example 123
[IP] - a valid external IP address for example 192168129126
[IP range] - a set of external IP addresses in the format as IP_BEGIN-IP_END For example 192168129126-
192168129128
[segment] - a set of external IP addresses in the format as SUBNETWORKNETMASK For example
19216812902552552550
For example
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
LANSegment2=192168129120192168129205
LANSegment3=192168302552552550192168129206
In the sample above the setting tells NeoRouter how to route packets
Here are several common scenarios
534 Bridging Setup ndash point to site VPN
Requirement
A company wants create a point-to-site VPN so that the employees can remotely access the printers or computers in
the office from home or customer site Since NeoRouter client cannot be installed on the printers and some
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 44 of 53
computers that are running Unix OS (HP-Unix Solaris or SCO Unix) the NeoRouter Network Bridge feature
would the best choice
Design
Since we want to use the printer its better to use the bridging mode Depending on the requirements we split the
network into 3 groups
1 192168129126 - 192168128128 used for computers or printers
2 192168129200 - 192168129254 used for NeoRouter DHCP
3 Other IP address we dont want packets from these IP range go to our VPN
Setup
1 Setup NeoRouter server and config the DHCP address to 1921681292002552552550
2 Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter
On Windows XP+ (except WinXp x64) one can use Windows tool to create a bridge
(check out MSDN for details)
Since some adapters may not fully support prosmic mode one has to enable it manually
(check out httpsupportmicrosoftcomkb302348)
gt netsh bridge show adapter
gt netsh bridge set a 1 e
gt netsh bridge set a 2 e
On Linux one can use brctl command to create a bridge
gt brctl addbr $br
gt brctl addif $br eth0
gt brctl addif $br nrtap
gt ifconfig nrtap 0000 promisc up
gt ifconfig eth0 0000 promisc up
gt ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
gt
gt ifconfig $br down
gt brctl delbr $br
3 Setup Featureini file on each member of the NeoRouter network The content of the file is
[Default]
NetworkBridge=1
LANSegment1=192168129126-192168129128192168129204
After setting the file restart the nrservice or reboot computer
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 45 of 53
535 Routing Setup ndash site to site VPN
Requirement
A company wants create a site-to-site VPN to link two offices located in different cities They cannot install
NeoRouter client software on their computers running Unix OS (HP-Unix Solaris or SCO Unix) The NeoRouter
Network Bridge feature would be the best choice
Design
To make the VPN fast its better to use the routing mode From the requirements we can see 3 networks
1 19216812902552552550 Office 1
2 192168302552552550 Office 2
3 100102552552550 NeoRouter virtual network
Setup
1 Setup NeoRouter client on each gateway computers
2 One each gateway computer enable the feature allowing the OS to forward packets
On Windows 2000+
create HKEY_Local_MachineSystemCurrentControlSetServicesTcpipParametersIPEnableRouter
as a string value equal to 1 in the registry This will require a system reboot to take effect To confirm it
is enabled do ipconfig all from the command line IP Routing Enabled should say yes If not confirm your
registry setting and reboot again This setting is flaky in non-server versions of Windows
Also refer to httpsupportmicrosoftcomkb230082en-us
On Linux
gt echo 1 gt procsysnetipv4ip_forward
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 46 of 53
On Mac OS X
1) The easy way is to create or edit etcsysctlconf and add netinetipforwarding=1
or
2) gt sysctl -w netinetipforwarding=1
3 Setup route on each gateway
On the gateway of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1001103
On the gateway of the 192168129x network
gt route ndashp add 19216830 mask 25525500 1001102
4 Setup route stable When using routing method you need to tell your other machines how to cross the VPN to
access computers on the opposite network
Option1
This requires more work but limits configuration changes to be at the computer level
On each computer of the 1921683x network
gt route ndashp add 1921681290 mask 25525500 1921683234
On each computer of the 192168129x network
gt route ndashp add 19216830 mask 25525500 192168129129
Option 2 (not all routers support this but it is the minimal configuration method)
On the router acting as the default gateway for 1921683x network add a static route that says any traffic destined
for 1921681290 network go through 1921683x (IP address of NeoRouter PC on 1921683x network)
On the router acting as the default gateway for 192168129x network add a static route that says any traffic
destined for 19216830 network go through 192168129x (IP address of NeoRouter PC on 192168129x
network)
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 47 of 53
536 Bridging Setup ndash site to site VPN
537 Run Scripts When Network Bridge feature is enabled one can define commands getting called by NR Client on the following
events
These commands should be defined in the Featureini file
1When initialize the tap device but not activate it yet
CmdOnTapInit=xxxxxxxxx
2When the tap device gets activated
CmdOnTapActive=xxxxxxxxx
3When tap device gets destroyed
CmdOnTapUninit=xxxxxxxxx
These options are available on all platforms
For example one can define a script to setup static route table after the tap gets activated and has virtual IP address
assigned
Featureini
CmdOnTapActive=usrbinsetroutetablesh
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 48 of 53
54 Build Custom Add-on (Windows)
541 Create Custom Add-on You can customize an add-on or even create your own
As an example letrsquos create an add-on to get the system info of a remote computer using PsTools by Mark
Russinovich and systeminfoexe command shipped with Windows
PsTools httptechnetmicrosoftcomen-ussysinternalsbb896649aspx
systeminfo httptechnetmicrosoftcomen-uslibrarybb491007aspx
a Launch NeoRouter Network Explorer open Add-ons Manager dialog
b Click + button to create a new add-on
c In add-on properties dialog enter the following
Add-on name psexec systeminfo
Command
cmdexe C cpstoolspsexecexe NRIPAddress -u ltusernamegt systeminfo amp pause
Please replace ltusernamegt with username on the remote computer
Comment Get SystemInfo of remote machine using psexec
Startup Type Manual
Icon click Change Icon button to choose one thats easy to recognize
d In the command you can use Windows environment variables or NeoRouter variables like
NRIPAddress If you click on the button next to the Command edit box you will see the Edit
Command dialog with a list of variables you can use
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 49 of 53
e Three Startup types are supported
Manual the add-on will be displayed in the launch pad of Network Explorer and user can manually
launch the program
Automatic after signing in the add-on command is automatically executed when user signs into
NeoRouter Network Explorer
Automatic after Windows starts the add-on command is automatically executed when Windows
starts
f Launch the new add-on just click on the target computer in Network Explorer and choose the add-on in
the pop-up launch pad
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 50 of 53
g In the above steps I have assumed that PsTools are installed at cPsTools and the remote computer has
telnet service enabled If not lets configure the system now
PsTools download from httptechnetmicrosoftcomen-ussysinternalsbb896649aspx and extract to
cPsTools folder
h Configure telnet service on remote computer This step is required on XPVista but not necessary on
Windows 20032008 servers
Run servicesmsc from the Start -gt Run command window and configured the Telnet service for
Automatic Start the service
Follow the instructions here httpsupportmicrosoftcomkb298060en-us
Launch Windows firewall and add CWINDOWSSystem32tlntsvrexe to exception list
542 Add-on File Formats
NeoRouter supports two types of add-on files nri and nra Most users only need to deal with nri files all files
downloaded from httpwwwneoroutercomaddonsindexhtml are in this format nra files are used by advanced
users to build custom add-ons
nri is the full installation package that contains both the application and the the configure info Users can simply
download nri files from and use the Install button to setup the add-on
nra contains only the configuration info Advanced users can create custom add-ons and export the configuration
info as nra files using the Export button in the add-on properties dialog Then heshe can import the nra file
on another client But remember that you will need to manually setup the application as well
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 51 of 53
6 Licensing NeoRouter
61 Licensing Overview
NeoRouter Server Professional Edition has a license control mechanism User can purchase either 8 licenses or 256
licenses The number of licenses is the max number of client computers allowed in the virtual network A
NeoRouter client requires one license regardless of whether it is online or offline A NeoRouter PortableUSB client
requires one license when it is connected to the virtual network There is no limit on the number of user accounts
NeoRouter Professional has 30 days trial period Please activate before the trial period expires to ensure
uninterrupted usage The license status and remaining trial days can be found at Configuration Explorerrsquos General
page
62 Activation
If you have purchased NeoRouter Professional Edition you should receive a product key in email Please have the
product key ready before starting the activation process
a Ensure NeoRouter server is running
b Launch Configuration Explorer and sign in
c Open ldquoGeneralrdquo page click on the ldquoActivate Productrdquo button
d Enter the product key in the following dialog
e Click on the ldquoOKrdquo button to activate it
After successful activation the ldquoActivate Productrdquo button will disappear and License status will show as activated
If the server host is non-Windows you can also activate using nrserverrsquos CLI The command is as follows On Mac
nrserver executable is located under LibraryNeoRouter
ldquonrserver ndashactivateproduct ltPRODUCT KEYgtrdquo
63 Product Key Recovery
You should receive a product key in email within 48 hours after your purchase If you lose the product key please
contact us and provide your name company shipping address and email address We will verify the information and
resend the product key to you
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 52 of 53
7 Troubleshooting and Support
71 Troubleshooting
If you come cross issues when using NeoRouter please use the methods to debug or report
711 Troubleshooting steps
1Install Server
2Check Server
Process
3Check Server
Listening port
4Check Port
Forwarding
6Signin with
Domain
14Check Error
Message
20 Generate Log
and email support
9Install Client
10Check Client
Service Process
11Sign in with
serverrsquos local or
public IP and port
failed
sucessful
15 Manually Start
Servernot found
started
not start
found
not open17 Check Port
conflicts
solved
Not solved
opened
19 Check Router
Port Forward
setting
not work
Set properly
8Ready
Sign in successfully
5Sign in with
public IP and port
successful
Cannot sign in
22 Router Hairpin
issue
Cannot
sign in
12Sign in with
domain name
found
successful
failed
16 Manually Start
Client ServiceNot found
started
13Ready
Sign in successfully
18 Check serverCannot
Sign in
solved
Cannot
sign in
21 Check domain
setting
Not sovled solved
Troubleshooting Steps
Setup Server Setup Client
Note
Step 2 and 10 to check if a process is running you can use Task Manager or Services Console on
Windows or ps command on other platforms
Step 3 to check server listening port you can use telnet or netstat on all platforms You can also
TcpViewer on Windows or NetActView on Linux
Step 4 to check port forwarding you can use httpwwwneoroutercomcheckportphp
Step 5 and 6 Tip ndash use Configuration Explorer instead of Network Explorer to debug server issues
Step 20 next section will explain how to generate log files
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport
User Manual
NeoRouter Inc 2010 Page 53 of 53
Step 22 If your router does not support Hairpin please set serverrsquos LAN address in the Connection
Options dialog See Server Local Address
712 Generate Log
If you need technical support please use the following steps to collect the log files and send them to
supportneoroutercom
a Launch Network Explorer
b Select menu item HelpgtgtTroubleshootinggtgtLog Session to File
c If you want to troubleshoot the server then restart the NeoRouter server service from the servicesmsc if
you want to create log for the client then restart the NeoRouter client service from the servicemsc
d After reproduce the issue select menu item HelpgtgtTroubleshootinggtgt Log Session to File again to disable
the log and restart the service you are trying to log
e Select menu item HelpgtgtTroubleshootinggtgtOpen Configuration Folder and you will see the log file
For advanced users please setup logging settings manually referring to
httpwwwneoroutercomwikiindexphpNeoRouterWikiFAQHow_to_generate_a_log_file3F
72 Contact Us
Company website
httpwwwneoroutercom
Technical support
supportneoroutercom
Support ticket
httpswwwneoroutercomDashboardSendTicketaspx
Support forum
httpwwwneoroutercomforum
Product sales
salesneoroutercom
Knowledge base
httpwwwneoroutercomsupport